|Applies To||Keon Certificate Authority|
RSA Certificate Manager
|Issue||Is it possible to alter the DN of a Keon Certificate Authority?|
|Resolution||No, it is not possible to simply modify the DN of a Keon Certificate Authority; you must new certificates. First, the existing certificates signed by the CA are already out in distribution with the current DN information in them (in users' web browser) as well as in your web and other servers.|
The next problem is that you cannot simply modify the contents of the DN. The DN is used to store the certificates in LDAP servers external to the CA Server, and retrieval would be affected, e.g. in Microsoft Active Directory.
Finally and the most severe of restrictions, the PEM in the certificate is a signature of the certificate including the DN information. The PEM would mismatch if you were to modify the fields of the DN, which would invalidate the certificate. The CA would fail tampering checks.
NOTE: Modifying the DN of an existing CA would have very negative results, and should not be performed
|Legacy Article ID||a28878|