Can you enforce DN uniqueness on KCA
Originally Published: 2004-10-14
Article Number
Applies To
Issue
Resolution
The KCA is built on LDAP, and LDAP does not enforce DN uniqueness. The failure to enforce uniqueness may seem confusing since the DN is used much like a postal address to locate the desired record. Records are not looked up in an index on directory servers, as they are in databases.
In directory servers the chain of objects is followed to the desired location. The Distinguished Name identifies the links in that chain. The DN is not required to be unique in LDAP because once the objects which match the complete DN are arrived at; the LDAP Protocol uses the RDN or Relative Distinguished Name which contains attributes of the objects to determine a precise match with the object. The KCA uses the MD5 Hash of the certificate in the RDN to discriminate matching distinguished name objects.
For example, shown below are 2 end entity SSL certificates with the same DN. Each was made from a separate request, and the certificate name of request TWO was changed to the value "ONE" during approval. Notice the Subject DN values, the Request ID values, and the MD5 values:
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
Certificate for ONE
| Certificate Name: | ONE |
| Request ID: | C0A882AE0000027C000000020000000F |
| Client Type: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) |
| Certificate Chain: | ZERO Six Six |
| Issuing Jurisdiction ID: | 94a093a5d1d3c2096cd85169f874b2d29afb9463 |
| Issuing Jurisdiction Name: | ZERO Six Six |
| Status: | Active |
| Certificate ID (MD5): | 6ded803245f55dd0f3140ac2ed86921b |
| Serial No.: | 69B44FDF9770F7FB444EB035B60205E3 |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Valid From: | Wednesday, November 09, 2005 10:02:00 AM |
| Valid Until: | Tuesday, October 29, 2030 1:27:48 PM |
| Certificate (PEM format): | view |
| Renewal Policy: | Group Policy |
Certificate for TWO
| Certificate Name: | TWO |
| Request ID: | C0A882AE0000027C0000000200000010 |
| Client Type: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) |
| Certificate Chain: | ZERO Six Six |
| Issuing Jurisdiction ID: | 94a093a5d1d3c2096cd85169f874b2d29afb9463 |
| Issuing Jurisdiction Name: | ZERO Six Six |
| Status: | Active |
| Certificate ID (MD5): | 1614074fed8df3b430bbf46959608044 |
| Serial No.: | 83CE52659EE37490555C1BDDAF94562D |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Valid From: | Wednesday, November 09, 2005 10:02:48 AM |
| Valid Until: | Tuesday, October 29, 2030 1:26:12 PM |
| Certificate (PEM format): | view |
| Renewal Policy: | Group Policy |
Related Articles
Can you run kernel updates to fix the security vulnerabilities in RSA Identity Governance and Lifecycle Number of Views RSA Identity Governance and Lifecycle - Can you map an account to a specific user through Web Services Number of Views Issue with Identity Confidence-Based Access Policies in the IDR SSO Portal Number of Views When configuring Email Notification and Certificate Expiry Notification does 'All Vettors' (or the Vettor(s) selection fo… Number of Views RSA SecurID: Identity Sources configurations "You have reached the limit of ldap resources you can add please remove a re… Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
