000021522 - Can you enforce DN uniqueness on KCA

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021522
Applies ToKeon Certificate Authority
IssueCan you enforce DN uniqueness on KCA
ResolutionUniqueness of the Distinguished Name is not enforced in LDAP, or the KCA. There is currently no way to enforce DN uniqueness in KCA 6.5.1 as of Nov. 2004.

The KCA is built on LDAP, and LDAP does not enforce DN uniqueness. The failure to enforce uniqueness may seem confusing since the DN is used much like a postal address to locate the desired record. Records are not looked up in an index on directory servers, as they are in databases.

In directory servers the chain of objects is followed to the desired location. The Distinguished Name identifies the links in that chain. The DN is not required to be unique in LDAP because once the objects which match the complete DN are arrived at; the LDAP Protocol uses the RDN or Relative Distinguished Name which contains attributes of the objects to determine a precise match with the object. The KCA uses the MD5 Hash of the certificate in the RDN to discriminate matching distinguished name objects.

For example, shown below are 2 end entity SSL certificates with the same DN. Each was made from a separate request, and the certificate name of request TWO was changed to the value "ONE" during approval. Notice the Subject DN values, the Request ID values, and the MD5 values:
Subject DN
Common Name (CN):ONE
Organizational Unit (OU):ZERO
Organization (O):ZERO


Subject DN
Common Name (CN):ONE
Organizational Unit (OU):ZERO
Organization (O):ZERO



Certificate for ONE
Certificate Name:ONE
Request ID:C0A882AE0000027C000000020000000F
Client Type:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Certificate Chain:ZERO Six Six
Issuing Jurisdiction ID:94a093a5d1d3c2096cd85169f874b2d29afb9463
Issuing Jurisdiction Name:ZERO Six Six
Status:Active
Certificate ID (MD5):6ded803245f55dd0f3140ac2ed86921b
Serial No.:69B44FDF9770F7FB444EB035B60205E3
Subject DN
Common Name (CN):ONE
Organizational Unit (OU):ZERO
Organization (O):ZERO
Valid From:Wednesday, November 09, 2005 10:02:00 AM
Valid Until:Tuesday, October 29, 2030 1:27:48 PM
Certificate (PEM format):view
Renewal Policy:Group Policy

 

Certificate for TWO

Certificate Name:TWO
Request ID:C0A882AE0000027C0000000200000010
Client Type:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Certificate Chain:ZERO Six Six
Issuing Jurisdiction ID:94a093a5d1d3c2096cd85169f874b2d29afb9463
Issuing Jurisdiction Name:ZERO Six Six
Status:Active
Certificate ID (MD5):1614074fed8df3b430bbf46959608044
Serial No.:83CE52659EE37490555C1BDDAF94562D
Subject DN
Common Name (CN):ONE
Organizational Unit (OU):ZERO
Organization (O):ZERO
Valid From:Wednesday, November 09, 2005 10:02:48 AM
Valid Until:Tuesday, October 29, 2030 1:26:12 PM
Certificate (PEM format):view
Renewal Policy:Group Policy

Legacy Article IDa23436

Attachments

    Outcomes