I’m upgrading my company’s Mongo C driver to 1.29.0 from 1.12.0, specifically so we can use TLS 1.3 in connections. The driver is part of our Windows application which we sell to hundreds of client organizations.
I have no experience with referencing specific Certificates or .PEM files through code, so have some basic questions on how this is supposed to work, and/or what Cert I need to acquire to satisfy the requirements under “Specify a CA File” on this page:
Do I just acquire a TLS Cert from DigiCert or another provider, and embed this into my app distribution so it can be found at runtime? Again this application will run in many different environments owned by different organizations. How can I be sure this will work in every external client’s environment?
Isn’t there a way to simply have Windows locate the relevant Cert in the Cert store? I’ve updated a number of other external libraries that we use for TLS, and no other one has had a similar requirement for a .PEM file - rather they just need to be directed to use the Windows Cert store. Did I miss this option somewhere, or do I need to acquire a special Cert for this as I was referring to above?
Any help with clarifying how this is meant to work would be very much appreciated.
What I think you are looking for is further down the page under Native TLS Support on Windows (Secure Channel) that will be using the Windows Certificate Store(and it trusted roots)
Thank you, Chris! I appreciate the clarification. It seems maybe I was mis-reading the tlscertificatekeyfile / MONGOC_URI_TLSCERTIFICATEKEYFILE parameter as a requirement, when it is really just an option?
Am I understanding correctly then, that if I don’t set the parameter above, or “tlsCAFile”, then this will cause the driver to use the Windows Certificate Store?
If compiled against the native tls then when tlsCAFile is not set the Windows Certificate Store is used. When the option is set ONLY the CA’s in the tlsCAFile will be used.