Christophe Bailleux wrote:
> Hi,
>
> RFC 2459 states the following (see section 4.1.2.6, "Subject") :
>
> Where it is non-empty, the subject field MUST contain an X.500
> distinguished name (DN). The DN MUST be unique for each subject
> entity certified by the one CA as defined by the issuer name field. A
> CA may issue more than one certificate with the same DN to the same
> subject entity.
>
> However, I couldn't find a way to have OpenCA create more than one
> certificate for the same DN. Reported error is :
>
> General Error Trapped 6735: A Valid Certificate with same DN exists! at
> /usr/loc
> al/OpenCA/lib/functions/misc-utils.lib line 38.
> Compilation failed in require at /usr/local/apache/cgi-bin/ca/ca line 194.
>
> It seems OpenCA refuses to do so, using the certificate's DN as an unique
> identifier. I though i could use more than one certificate per user, using
> for LDAP the same DN and many usercertificate;binary attributes ?
>
> Is it by design ? Is this behaviour documented in any PKIX compliant
> draft ? I didn't find good links on this topic.
>
> I guess this has something to do with the SET_REQUEST_SERIAL_IN_DN or
> DN_WITHOUT_EMAIL options - can you point me to the drafts they are
> refering to ?
I think by definition a certificate must be uniquely identifiable. I have
always considered the DN as only one part of unique certificate identification
but to identify an entity rather than a specific single certificate. The use
of DN + serial # + issuer name provides uniqueness to any certificate. The
serial number is required for uniqueness for purposes of managing individual
certificates by the issuing authority (e.g., revocation).
There have been most certainly certificates issued from the same root or
subordinate CA using identical DNs using the serial number to ensure
uniqueness. I have seen certain CA implementations have problems with same DN
certificates due to database exceptions. But I think the rule is certificate
uniqueness and this can be defined down to the serial number. I also consider
this a bug or design shortcoming in these systems (mostly in database
implementations) since there is guaranteed uniqueness via certificate serial
number.
I can think of numerous cases where it would be, at the very least, desirable
to have identical DNs for certificates. Uniqueness would managed by the
CA-assigned serial#.
Based on my recollection of ANSI X9.57 and ISO 15782, the serial number must
be unique, other fields may be (and in some cases must be) duplicated. I
don't recall that the DN must be unique.
At least that's my humble understanding of the process....
(OK, so much for this newbie's first post. I'm definitely not trying to rock
the boat. ;-)
Regards,
Bill
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
