000024096 - Is it possible to alter the DN of a Keon Certificate Authority?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024096
Applies ToKeon Certificate Authority
RSA Certificate Manager
IssueIs it possible to alter the DN of a Keon Certificate Authority?
ResolutionNo, it is not possible to simply modify the DN of a Keon Certificate Authority; you must new certificates. First, the existing certificates signed by the CA are already out in distribution with the current DN  information in them (in users' web browser) as well as in your web and other servers.

The next problem is that you cannot simply modify the contents of the DN. The DN is used to store the certificates in LDAP servers external to the CA Server, and retrieval would be affected, e.g. in Microsoft Active Directory.

Finally and the most severe of restrictions, the PEM in the certificate is a signature of the certificate including the DN information. The PEM would mismatch if you were to modify the fields of the DN, which would invalidate the certificate. The CA would fail tampering checks.

NOTE: Modifying the DN of an existing CA would have very negative results, and should not be performed
Legacy Article IDa28878