How PKI Services interprets distinguished names (DNs) on CMP requests

The subject distinguished name is encoded in a CMP certificate request from the CMP client. The order in which the relative distinguished names (RDNs) are placed in the subject field by the client is the order in which the RDNs appear in the issued certificate. PKI Services interprets the order to be least significant RDN first and most significant RDN last. This becomes important when PKI Services posts the issued certificate to an LDAP server, because the LDAP server defines a root suffix that it allows objects and attributes to be stored under. If the LDAP server has a defined root suffix of "C=US", and PKI Services attempts to post a certificate with a subject name "CN=Gumby,O=IBM,C=US", the request succeeds because the string format of the subject name has the C=US as the rightmost RDN, and that is the defined LDAP root suffix. If however, the CMP client encoded the subject name in the reverse order, the subject name string that PKI uses to post the certificate would be "C=US,O=IBM,CN=Gumby". This post request fails because the interpreted root suffix of CN=Gumby would not exist in LDAP. Guideline: When encoding a subject distinguished name in a certificate request, clients should place the least significant RDN first and the most significant RDN last.

Example: This example shows the encoded form of CN=Gumby,O=IBM,C=US:

SEQUENCE {
. SET {
. . SEQUENCE {
. . . OBJECT IDENTIFIER countryName (2 5 4 6)
. . . PrintableString 'US'
. . . }
. . }
. SET {
. . SEQUENCE {
. . . OBJECT IDENTIFIER organizationName (2 5 4 10)
. . . PrintableString 'IBM'
. . . }
. . }
. SET {
. . SEQUENCE {
. . . OBJECT IDENTIFIER commonName (2 5 4 3)
. . . PrintableString 'Gumby'
. . . }
. . }
. }

When the PKI Services CMP CGI program receives a CMP request from a CMP client, it attempts to determine the target CA domain to route the request to using the supplied issuer DN or the recipient (if it is in the form of a DN). The CMP CGI program interprets the encoded DN values to be the least significant RDN first and most significant RDN last. The program builds a string representation of the issuer or recipient DN from left to right starting with the last RDN in the sequence and ending with the first RDN. The CMP CGI program then compares the string that it built to the values of the _PKISERV_CMP_DOMAIN_ISSUERx environment variables. During the comparison of the strings, the program tries the comparison in both ways, both right to left and left to right, so if the distinguished name in the request is OU=Master CA,O=IBM,C=US it matches a _PKISERV_CMP_DOMAIN_ISSUERx value of either OU=Master CA,O=IBM,C=US, or C=US,O=IBM,OU=Master CA.