2.6 Configuring certificate DN attributes
The user DN is provided differently in the certificate request based on which subject DN components are provided. This can affect the required Entrust CA Gateway configuration, as you need to be able to build the DN from the subject variables.
The Certificate Subject DN is taken from the following locations, in the specified order, depending on CA capabilities and whether you provided them in the request:
-
optionalCertificateRequestDetails/subjectDn
-
subjectVariables
-
The Subject DN field in a supplied Certificate Signing Request (CSR).
MyID determines which method is used depending on the type of certificate and the provided policy attributes in the certificate request.
2.6.1 Non-key archive certificate requests
Important: When issuing non-key archive certificates, the Entrust CA may use the DN from the following for configuring the certificate DN attributes:
-
DN from the provided CSR in the certificate request.
-
DN attributes provided in the certificate request.
The Entrust CA prioritizes the use of the DN in the certificate request with the DN from the CSR being used if the DN is not provided in the request. As such, where the requirement is that the DN provided in the CSR is used for a given policy, the DN attributes must not be configured for that certificate policy. Therefore MyID does not provide the subject DN in the optional Certificate Request Details or the subject variable when there are no such policy attributes in the certificate request.
When subject DN policy attributes are provided, these are combined with the user DN provided in the supplied PKCS#10. The combined subject DN components are then provided in the certificate request as subject variables. When a subject DN component is provided in the policy attribute, that DN component is not taken from the user DN.
2.6.2 Key archive certificate requests
A CSR is not available for key archive certificate requests. Therefore, when there are no subject DN policy attributes in the request, the full user DN is provided as optional certificate request details.
When subject DN policy attributes are provided, these are combined with the user DN provided in the supplied PKCS#10. The combined subject DN components are then provided in the certificate request as subject variables. When a subject DN component is provided in the policy attribute, that DN component is not taken from the user DN.
When the subject DN is provided as subject variables in the certificate request, you must ensure that the gateway is configured to accept the subject variables and build the subject DN from these components. This configuration is not visible to MyID and is outside of MyID control.