1 files changed, 37 insertions, 0 deletions

diff --git a/jstests/ssl/ssl_intermediate_ca.js b/jstests/ssl/ssl_intermediate_ca.js
new file mode 100644
index 00000000000..838f43bcb30
--- /dev/null
+++ b/jstests/ssl/ssl_intermediate_ca.js
@@ -0,0 +1,37 @@
+// Test that including intermediate certificates
+// in the certificate key file will be sent to the remote.
+
+(function() {
+    'use strict';
+
+    load('jstests/ssl/libs/ssl_helpers.js');
+
+    if (determineSSLProvider() === 'windows') {
+        // FIXME: SERVER-39574
+        print("Skipping test with windows SChannel pending SERVER-39574");
+        return;
+    }
+
+    // server-intermediate-ca was signed by ca.pem, not trusted-ca.pem
+    const VALID_CA = 'jstests/libs/ca.pem';
+    const INVALID_CA = 'jstests/libs/trusted-ca.pem';
+
+    function runTest(inbound, outbound) {
+        const mongod = MongoRunner.runMongod({
+            sslMode: 'requireSSL',
+            sslAllowConnectionsWithoutCertificates: '',
+            sslPEMKeyFile: 'jstests/libs/server-intermediate-ca.pem',
+            sslCAFile: outbound,
+            sslClusterCAFile: inbound,
+        });
+        assert(mongod);
+        assert.eq(mongod.getDB('admin').system.users.find({}).toArray(), []);
+        MongoRunner.stopMongod(mongod);
+    }
+
+    // Normal mode, we have a valid CA being presented for outbound and inbound.
+    runTest(VALID_CA, VALID_CA);
+
+    // Alternate CA mode, only the inbound CA is valid.
+    runTest(VALID_CA, INVALID_CA);
+})();