Can you enforce DN uniqueness on KCA
Originally Published: 2004-10-14
Article Number
Applies To
Issue
Resolution
The KCA is built on LDAP, and LDAP does not enforce DN uniqueness. The failure to enforce uniqueness may seem confusing since the DN is used much like a postal address to locate the desired record. Records are not looked up in an index on directory servers, as they are in databases.
In directory servers the chain of objects is followed to the desired location. The Distinguished Name identifies the links in that chain. The DN is not required to be unique in LDAP because once the objects which match the complete DN are arrived at; the LDAP Protocol uses the RDN or Relative Distinguished Name which contains attributes of the objects to determine a precise match with the object. The KCA uses the MD5 Hash of the certificate in the RDN to discriminate matching distinguished name objects.
For example, shown below are 2 end entity SSL certificates with the same DN. Each was made from a separate request, and the certificate name of request TWO was changed to the value "ONE" during approval. Notice the Subject DN values, the Request ID values, and the MD5 values:
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
Certificate for ONE
| Certificate Name: | ONE |
| Request ID: | C0A882AE0000027C000000020000000F |
| Client Type: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) |
| Certificate Chain: | ZERO Six Six |
| Issuing Jurisdiction ID: | 94a093a5d1d3c2096cd85169f874b2d29afb9463 |
| Issuing Jurisdiction Name: | ZERO Six Six |
| Status: | Active |
| Certificate ID (MD5): | 6ded803245f55dd0f3140ac2ed86921b |
| Serial No.: | 69B44FDF9770F7FB444EB035B60205E3 |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Valid From: | Wednesday, November 09, 2005 10:02:00 AM |
| Valid Until: | Tuesday, October 29, 2030 1:27:48 PM |
| Certificate (PEM format): | view |
| Renewal Policy: | Group Policy |
Certificate for TWO
| Certificate Name: | TWO |
| Request ID: | C0A882AE0000027C0000000200000010 |
| Client Type: | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) |
| Certificate Chain: | ZERO Six Six |
| Issuing Jurisdiction ID: | 94a093a5d1d3c2096cd85169f874b2d29afb9463 |
| Issuing Jurisdiction Name: | ZERO Six Six |
| Status: | Active |
| Certificate ID (MD5): | 1614074fed8df3b430bbf46959608044 |
| Serial No.: | 83CE52659EE37490555C1BDDAF94562D |
| Subject DN | |
| Common Name (CN): | ONE |
| Organizational Unit (OU): | ZERO |
| Organization (O): | ZERO |
| Valid From: | Wednesday, November 09, 2005 10:02:48 AM |
| Valid Until: | Tuesday, October 29, 2030 1:26:12 PM |
| Certificate (PEM format): | view |
| Renewal Policy: | Group Policy |
Related Articles
How do reduce the size of tableT_AV_JOB_STATS Number of Views Provide an Offline Emergency Passcode Number of Views Performance improvements related to T_AV_MODEL_EXPLODEDUSERENTS table in RSA Identity Governance & Lifecycle Number of Views RSA Authentication Manager 8.3 P4 - Summary of Known Third-Party Component Vulnerabilities Under Investigation Number of Views 'java.io.FileNotFoundException: aveksa-version.properties' error running migrate.sh in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
