|Applies To||Keon Certificate Authority|
|Issue||Can you enforce DN uniqueness on KCA|
|Resolution||Uniqueness of the Distinguished Name is not enforced in LDAP, or the KCA. There is currently no way to enforce DN uniqueness in KCA 6.5.1 as of Nov. 2004.|
The KCA is built on LDAP, and LDAP does not enforce DN uniqueness. The failure to enforce uniqueness may seem confusing since the DN is used much like a postal address to locate the desired record. Records are not looked up in an index on directory servers, as they are in databases.
In directory servers the chain of objects is followed to the desired location. The Distinguished Name identifies the links in that chain. The DN is not required to be unique in LDAP because once the objects which match the complete DN are arrived at; the LDAP Protocol uses the RDN or Relative Distinguished Name which contains attributes of the objects to determine a precise match with the object. The KCA uses the MD5 Hash of the certificate in the RDN to discriminate matching distinguished name objects.
For example, shown below are 2 end entity SSL certificates with the same DN. Each was made from a separate request, and the certificate name of request TWO was changed to the value "ONE" during approval. Notice the Subject DN values, the Request ID values, and the MD5 values:
Certificate for ONE
Certificate for TWO
|Legacy Article ID||a23436|