active directory - X509 Certificate: Identity of DN (Distinguished Names) -
i use keytool create x509 certificate subject:
cn=alice, ou=demo client, o=mycompany, l=site1, st=wll, c=nz
but after create csr , entry signed (i use "openssl ca") "o" , "l" reversed:
cn=alice, ou=demo client, l=site1, o=mycompany, st=wll, c=nz
are both subjects still considered same? or order important?
they may or may not same, depending on how subject distinguished name (dn) encoded in csr , certificate. dn defined x.501 type name
. rfc 5280:
name ::= choice { -- 1 possibility -- rdnsequence rdnsequence } rdnsequence ::= sequence of relativedistinguishedname relativedistinguishedname ::= set size (1..max) of attributetypeandvalue attributetypeandvalue ::= sequence { type attributetype, value attributevalue } attributetype ::= object identifier attributevalue ::= -- defined attributetype
the distinguishednamematch
rule defined in rfc 5280 section 7.1 (emphasis mine):
two naming attributes match if attribute types same , values of attributes exact match after processing string preparation algorithm. two relative distinguished names rdn1 , rdn2 match if have same number of naming attributes , each naming attribute in rdn1 there matching naming attribute in rdn2. 2 distinguished names dn1 , dn2 match if have same number of rdns, each rdn in dn1 there matching rdn in dn2, , matching rdns appear in same order in both dns. distinguished name dn1 within subtree defined distinguished name dn2 if dn1 contains @ least many rdns dn2, , dn1 , dn2 match when trailing rdns in dn1 ignored.
if organization (o) , location (l) attributes appear in same relative distinguished name set in subject dn of both csr , certificate, else being equal, dns equal. if in different rdns, order of rdns has been changed, making dns different.
Comments
Post a Comment