3.4 DN order

Entrust controls the order of the elements of the DN. Your Entrust system may have a different server-side configuration, but by default:

• The DN order may be different between archived and non-archived certificates. If you find that CA-generated certificates are issuing to different users, you are recommended to try setting the Reverse DN option for either the non-archived or the archived certificate policy. This behavior may be different across different installations of Entrust.

• When issuing internally archived Entrust certificates, the DN is always CN first regardless of the source DN format or the state of the Reverse DN flag.

• The ordering of DN elements within a certificate request is not always implemented consistently. The issuance of credentials where keys are generated on mobile devices implements ordering differently to requests generated on cards or by MyID for archived certificates.

  Therefore, if you need to keep a consistent DN order across issued certificates, you are recommended to use an independent non-archived certificate policy for mobile credentials, and set the Reverse DN option for this policy to the opposite of the value used for archived certificates and card-issued non-archived certificates.