1

I use keytool to create an x509 certificate with this subject:

CN=alice, OU=Demo Client, O=myCompany, L=Site1, ST=wll, C=nz

But after I create a CSR and get the entry signed (I use "openssl ca") my "O" and "L" are suddenly reversed:

CN=alice, OU=Demo Client, L=Site1, O=myCompany, ST=wll, C=nz

Are the both subjects still considered the same? Or is the order important?

Frizz
  • 2,524
  • 6
  • 31
  • 45
  • No they are not the same. Order is significant. Ask the CA what he's doing with your certificate. – user207421 Jun 19 '15 at 13:07
  • I created my own CA and used openssl to sign my certificates. Why might it change the order of "L" and "O"? – Frizz Jun 19 '15 at 13:15
  • Whether they are the same or not depends on how the DNs are encoded. See my answer for more info, and add the CSR and certificate to your question if you want the exact answer for your case. – frasertweedale Jun 19 '15 at 23:32

1 Answers1

0

They may or may not be the same, depending on how the Subject Distinguished Name (DN) is encoded in the CSR and the certificate. The DN is defined as the X.501 type Name. From RFC 5280:

   Name ::= CHOICE { -- only one possibility for now --
     rdnSequence  RDNSequence }

   RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

   RelativeDistinguishedName ::=
     SET SIZE (1..MAX) OF AttributeTypeAndValue

   AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

   AttributeType ::= OBJECT IDENTIFIER

   AttributeValue ::= ANY -- DEFINED BY AttributeType

The distinguishedNameMatch rule is defined in RFC 5280 section 7.1 (emphasis mine):

Two naming attributes match if the attribute types are the same and the values of the attributes are an exact match after processing with the string preparation algorithm. Two relative distinguished names RDN1 and RDN2 match if they have the same number of naming attributes and for each naming attribute in RDN1 there is a matching naming attribute in RDN2. Two distinguished names DN1 and DN2 match if they have the same number of RDNs, for each RDN in DN1 there is a matching RDN in DN2, and the matching RDNs appear in the same order in both DNs. A distinguished name DN1 is within the subtree defined by the distinguished name DN2 if DN1 contains at least as many RDNs as DN2, and DN1 and DN2 are a match when trailing RDNs in DN1 are ignored.

If the Organization (O) and Location (L) attributes appear in the same Relative Distinguished Name set in the Subject DN of both the CSR and the certificate, then all else being equal, the DNs are equal. If they are in different RDNs, then the order of the RDNs has been changed, making the DNs different.

Community
  • 1
  • 1
frasertweedale
  • 5,424
  • 3
  • 26
  • 38
  • The AVA rule applies to RDNs, not to DNs, and in any case these are LDAP rules. They don't necessarily apply to what's in a certificate. – user207421 Jun 20 '15 at 00:13
  • Incorrect. Observe that the DN is a `SEQUENCE OF RelativeDistinguishedName`. – frasertweedale Jun 20 '15 at 00:26
  • Sorry @EJP, misread your comment. True, the LDAP rules do not necessarily apply. I have updated my answer with the rules from RFC 5280, which are the same as the LDAP rules. – frasertweedale Jun 20 '15 at 00:39