Generating a certificate subject DN

3.11 Generating a certificate subject DN

The subject DN that is written to an EJBCA-issued certificate is affected by configuration within both MyID and the EJBCA server.

You can affect the generated subject DN in the following ways:

Using a MyID generated subject DN.

When issuing a certificate with a non-key management client generated key, the MyID CMS generated subject DN is provided in the PKCS#10 that is provided in the certificate request.
Using the subject DN passed in the certificate request.

When the subject DN that is passed in the certificate request is used, the format of the DN is affected by a number of settings with the EJBCA CA. In this case, the ReverseDN setting in MyID set against the certificate authority policy has no effect on the generated subject DN.

When you are using the passed-in subject DN, you can affect which DN components are allowed and their order.
- Subject DN components in the EJBCA End Entity Profile.
  
  Only the subject DN components that are included in the End Entity profile are included in the subject DN passed in the certificate request.
- Not using a custom DN order.
  
  When the Certificate Profile is not configured to specify a Custom DN Order, and the Allow subject DN override by CSR setting is enabled, the DN component order is controlled through the LDAP DN Order setting in the certificate profile.
  - When the LDAP DN Order option is set, the DN components are listed from last to first, which puts the smallest DN component first.
    
    For example:
    
    CN=Common Name, O=Organization, C=Country
  - When the LDAP DN Order option is not set, the DN components are listed from first to last, which puts the largest DN component first.
    
    For example:
    
    C=Country, O=Organization, CN=Common Name
- Using a custom DN order.
  
  You can configure a certificate profile to require the DN components in a specific custom order, rather than the default order. The configuration is available only when the Allow subject DN override by CSR and the Allow Subject DN Override by End Entity Information options are not enabled. The order of the components is decided by the order specified in the Custom DN Order option.
  
  For example:
  
  CN, C, O
  
  orders the following components as:
  
  CN=Common Name, C=Country, O=Organization
  
  Any DN component that is passed in the certificate request but is not included in the list is added to the end of the list. For example, if, in the earlier example, a DC component was also passed, the DN would be:
  
  CN=Common Name, C=Country, O=Organization, DC=Domain
  
  When using a custom DN order, the LDAP ordering of the components is controlled through the corresponding Apply LDAP DN order setting and LDAP DN Order options.
  - When Apply LDAP DN order setting is enabled, the LDAP DN Order setting is used to determine the DN component order.
    
    This is affected by the order in which the DN components are provided in the list, as EJBCA checks if the list is already in the required order.
  - When Apply LDAP DN order setting is not enabled, LDAP order takes preference, but can be affected by the order in which the DN components are specified in Custom DN Order.
  Whether Apply LDAP DN order setting is enabled or not, the way that additional DN components are added is dependent on the selected DN order.
- Restricting DN components when using a custom DN order.
  
  If you are have a Custom DN Order set, and you want to restrict DN components that are included in the subject DN, in the certificate profile, you can use the Subset of Subject DN setting. When you are using EJBCA with MyID, you are recommended to control the restriction of DN components through the End Entity Profile setting, rather than using this option.