000022044 - How to publish certificates from RSA Keon Certificate Authority to an external LDAP (Sun ONE or Active Directory) using email from certificates' subject DN

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022044
Applies ToKeon Certificate Authority 6.5.1
Sun ONE Directory Server 5.2
Microsoft Active Directory
IssueHow to publish certificates from RSA Keon Certificate Authority to an external LDAP (Sun ONE or Active Directory) using email from certificates' subject DN
External LDAP (Sun ONE or Active Directory) is configured as follows:

O=sales,DC=acme,DC=com
    OU=headoffice
        CN=<some-user-a1>
        CN=<some-user-a2>
        ....
        OU=users
            CN=<some-user-b1>
            CN=<some-user-b2>
            ....
    OU=branchoffices
        OU=<some-city-x>
            OU=users
                CN=<some-user-c1>
                CN=<some-user-c2>
                ....
        OU=<some-city-y>
            OU=users
                CN=<some-user-d1>
                CN=<some-user-d2>
                ....
        OU=<some-city-z>
            OU=users
               CN=<some-user-e1>
               CN=<some-user-e2>
               ....
Other details and constraints are as follows:

- Full city names are used in the external LDAP as values for OU. For example, OU=<some-city-x> may look like OU=Chicago.
- CN in the DN of user objects in LDAP contain userid values (e.g., ?jdoe?) rather than full name of the users (e.g., ?John Doe?).  For example, a user John Doe may exist at a DN ?CN=jdoe,OU=users,OU=Chicago,OU=branchoffices,O=sales,DC=acme,DC=com?.
- MAIL attribute of the user objects in LDAP contain unique values
- Subject DN of the certificates generated through Keon CA contain the attributes CN, OU, C, and EA/EMAIL
- CN attribute in certificates' subject DN contain full name of users (e.g., ?John Doe?)
- OU attribute in certificates' subject DN contain 3 letter abbreviations of cities (e.g. BOS for Boston)
- The only attribute value common between the certificates generated by Keon CA and the user objects in LDAP where the certificates need to be published to is email
Keon CA must be configured to publish certificates to correct user objects in the external LDAP. User objects are present in the external LDAP, and Keon CA need not create any user objects, only publish the certificates.
ResolutionConfigure ?External Publishing? section of the jurisdiction configuration as follows (Keon CA administrative interface => CA Operations workbench => view a CA => select a jurisdiction under 'Jurisdiction Configuration' and click on 'Configure' button => select the section 'External Publishing'):

    Publish Certificates:  Checked
    Host: <LDAP host name>
    Port: <LDAP port number>
    Bind DN: <LDAP bind DN>
    Bind Password: <LDAP bind password>
    Base DN: O=sales,DC=acme,DC=com
    Create DN From Certificate DN: Not Checked
    Certificate DN: MAIL
[IMPORTANT NOTE: If you enter all lower case value (e.g., ?mail?) in the ?Certificate DN? box, this value will be changed to an all uppercase value after saving the jurisdiction settings.  Also, this specific attribute name is used to construct the search filter.  This attribute name need not be present in the certificate DN, and if so, then an appropriate DN Mapping must be specified as listed below.]
    DN Mapping: MAIL -> email
[IMPORTANT NOTE: Any value entered in the ?From? box is considered case sensitive. So, this value must be all in uppercase to ensure it matches to the value entered above in the ?Certificate DN? box.  Values entered in the ?To? box are case insensitive.]
    Use Search to Create DN: Checked
    End-Entity Class: <user-object?s objectclass>
[Example: ?inetorgperson? for Sun ONE Directory Server; ?User? for Active Directory]
    End-Entity Certificate Field: userCertificate
    Create End Entity As:  This field must be left empty as user objects already exist in external LDAP and need not be created by Keon CA

Save the above configuration, and test by publishing an existing end-entity certificate or issue a new test certificate.  The certificate should be published to the external LDAP.
Legacy Article IDa29496

Attachments

    Outcomes