Can you enforce DN uniqueness on KCA
Originally Published: 2004-10-14
Article Number
Applies To
Issue
Resolution
The KCA is built on LDAP, and LDAP does not enforce DN uniqueness. The failure to enforce uniqueness may seem confusing since the DN is used much like a postal address to locate the desired record. Records are not looked up in an index on directory servers, as they are in databases.
In directory servers the chain of objects is followed to the desired location. The Distinguished Name identifies the links in that chain. The DN is not required to be unique in LDAP because once the objects which match the complete DN are arrived at; the LDAP Protocol uses the RDN or Relative Distinguished Name which contains attributes of the objects to determine a precise match with the object. The KCA uses the MD5 Hash of the certificate in the RDN to discriminate matching distinguished name objects.
For example, shown below are 2 end entity SSL certificates with the same DN. Each was made from a separate request, and the certificate name of request TWO was changed to the value "ONE" during approval. Notice the Subject DN values, the Request ID values, and the MD5 values:
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
Certificate for ONE
| Certificate Name: | ONE |
| Request ID: | C0A882AE0000027C000000020000000F |
| Client Type: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) |
| Certificate Chain: | ZERO Six Six |
| Issuing Jurisdiction ID: | 94a093a5d1d3c2096cd85169f874b2d29afb9463 |
| Issuing Jurisdiction Name: | ZERO Six Six |
| Status: | Active |
| Certificate ID (MD5): | 6ded803245f55dd0f3140ac2ed86921b |
| Serial No.: | 69B44FDF9770F7FB444EB035B60205E3 |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Valid From: | Wednesday, November 09, 2005 10:02:00 AM |
| Valid Until: | Tuesday, October 29, 2030 1:27:48 PM |
| Certificate (PEM format): | view |
| Renewal Policy: | Group Policy |
Certificate for TWO
| Certificate Name: | TWO |
| Request ID: | C0A882AE0000027C0000000200000010 |
| Client Type: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) |
| Certificate Chain: | ZERO Six Six |
| Issuing Jurisdiction ID: | 94a093a5d1d3c2096cd85169f874b2d29afb9463 |
| Issuing Jurisdiction Name: | ZERO Six Six |
| Status: | Active |
| Certificate ID (MD5): | 1614074fed8df3b430bbf46959608044 |
| Serial No.: | 83CE52659EE37490555C1BDDAF94562D |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Valid From: | Wednesday, November 09, 2005 10:02:48 AM |
| Valid Until: | Tuesday, October 29, 2030 1:26:12 PM |
| Certificate (PEM format): | view |
| Renewal Policy: | Group Policy |
Related Articles
How do reduce the size of tableT_AV_JOB_STATS Number of Views Emergency Offline Authentication Number of Views SailPoint IdentityNow - End User Logon Experience Number of Views Is data collection over SFTP (using HXTT driver) supported in RSA Identity Goverance & Lifecycle v7.1.0? Number of Views Viewing, Downloading or Deleting an existing ASR fails with 'The request could not be handled' error in RSA Identity Gover… Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) Artifacts to gather in RSA Identity Governance & Lifecycle RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA Governance & Lifecycle 8.0.0 Installation Guide
Don't see what you're looking for?
