Tracking Entrust DN changes

3.3 Tracking Entrust DN changes

MyID can maintain a single Entrust entity/user after their (distinguished) name changes; for example, due to changes to marital status.

To trigger a change of DN, use the PIV applicant editing screens in the MyID Operator Client, click the Position tab, and edit the PIV DN field. Equally an update will result from a change to First Name, Last Name, Employee ID or the person's group's Base DN.

To complete a change of DN, the person must have at least one new certificate issued.

If a person changes DN multiple times without an new certificate actually being issued, only that last change will be reflected at the CA; for example, a person who changes from Arthur Alpha to Arthur Beta to Arthur Gamma is reflected at the Certificate Authority as Arthur Alpha becoming Arthur Gamma.

If a person changes DN multiple times and a new certificate has been issued, each change is reflected at the CA; for example, a person who changes from Arthur Alpha to Arthur Beta to Arthur Gamma is reflected at the Certificate Authority as individual approved DN changes.

Entrust refuses to process a change DN request in some circumstances because the user is not in appropriate state or only has revoked certificates. It does return specific errors in those cases but MyID cannot independently correct the situation.

If for any reason MyID is unable to complete a change of DN successfully, it continues to attempt to apply the change (unless undone) in future certificate requests.

Entrust refuses to allow a change of DN for a user if that user DN has ever existed in the lifetime of the Certificate Authority, even if that user has since been archived or removed. In such cases, you must use the Entrust Security Manager Administrator utility (other Entrust tools may be available) and change the 'Allow DN reuse' setting; the default is off/deselected.

Entrust allows a change of DN only if the user is using default key expiration settings; as such, as part of the processing, MyID reverts to defaults during the user change DN. However, as soon as a certificate is issued after the change of DN, the MyID configured settings are applied – they default to MyID being in control of lifetimes.

The DN change logic can track only one DN; this DN is the main DN that is used for certificate requests; for example, Xu55. If you need your DN to be in a particular order, make sure that your DN construction trigger and group Base DN values follow the pattern expected, and do not set ReverseDN against the policies.

Note: The Track Entrust distinguished name changes option on the LDAP tab of the Operation Settings workflow does not affect this functionality; this option was added for MyID Enterprise systems, not PIV systems.

3.3.1 Known issues

IKB-246 – Additional identities will not work when tracking Entrust DN changes

If you use MyID to issue additional identity certificates to a user, and have configured MyID to track Entrust DN changes, the additional identity certificates held in Entrust will not be affected when you update the DN. This is because the DN associated to the certificate is different to the primary DN of the user account in MyID.
IKB-352 – Change DN is sensitive to whitespace between DN elements

The Entrust Change DN feature may not identify the user to be updated in the Entrust certificate authority in some circumstances, leading to a new Entrust user account being created at next certificate issuance.

This problem has been seen when the new Distinguished Name does not have spaces after the comma separators; for example:

<DN>CN=Sam Jones,OU=Administrators,DC=mycorp,DC=local</DN>

<AlternateDN>CN=Sam Jones,OU=Administrators,DC=mycorp,DC=local</AlternateDN>

To work around this issue, ensure that PIV DN values imported to MyID, typed in, or created by customizations applied to MyID include spaces after the comma separators.