Determining the CA domain to which a request is routed
To determine the CA domain to which it routes a request, the CMP
CGI program first tries to determine the issuer distinguished name:
- If the message type is cr (certificate request), the issuer field of the CertTemplate structure is used as the issuer distinguished name if it is present. If it is not, the recipient field in the message header is used as the issuer distinguished name if it is in the form of a Directory Name (distinguished name). If the recipient field is not in the form of a Directory Name, an issuer distinguished name is not used to determine the CA domain name; instead, the URL to which the CMP request was sent is used to determine the CA domain.
- If the message type is p10cr (PKCS #10 certificate request message), the recipient field in the message header is used as the issuer distinguished name if it is in the form of a Directory Name (distinguished name). If the recipient field is not in the form of a Directory Name, an issuer distinguished name is not used to determine the CA domain name; instead, the URL to which the CMP request was sent is used to determine the CA domain.
- If the message type is rr (revoke request), the issuer and serial number fields of the CertDetails field are used as the issuer distinguished name and certificate serial number to be revoked or suspended. If the serial number is not present, the request is rejected. If the issuer field is not present, the recipient field in the message header is used as the issuer distinguished name if it is in the form of a Directory Name (distinguished name). If the recipient field is not in the form of a Directory Name, an issuer distinguished name is not used to determine the CA domain name; instead, the URL to which the CMP request was sent is used to determine the CA domain.
If the CMP CGI program was able to determine the issuer distinguished
name, and the request is a certificate request (type cr or p10cr),
the CMP CGI program does the following processing to determine to
which CA domain it routes the request:
- The CMP CGI program compares the issuer distinguished name extracted
from the request in string format to the values defined in the _PKISERV_CMP_DOMAIN_ISSUERi environment
variables (where i is 1 through the number of CA domains).
The comparison is made by comparing the relative distinguished names
in order of specification (first from most specific to least specific,
then least specific to most specific). For example, if the issuer
distinguished name in a request message is OU=STG,O=IBM,C=US, it would
match a _PKISERV_CMP_DOMAIN_ISSUERi environment
variable whose value was set to either of the following values:
- OU=STG, O=IBM, C=US (most specific first)
- c=us,o=ibm,ou=stg (least specific first)
If a match is found for the issuer distinguished name, the CMP CGI continues to step 2. If no match is found, it uses the URL to which the CMP request was sent to determine the CA domain.
- The number (i) of the matching _PKISERV_CMP_DOMAIN_ISSUERi environment variable is used to read the domain name environment variable _PKISERV_CMP_DOMAIN_NAMEi_n. The _PKISERV_CMP_DOMAIN_NAMEi_n with the highest value of n is used because it represents the current domain name for the CA for accepting new certificate requests. (When the value of n is greater than 1, at least one CA roll over occurred.) For example, if the issuer distinguished name in a cr message matched the value in _PKISERV_CMP_DOMAIN_ISSUER3, and one CA roll over occurred for that CA, the CA domain name is retrieved from the _PKISERV_CMP_DOMAIN_NAME3_2 environment variable. If the _PKISERV_CMP_DOMAIN_NAMEi_n environment variable cannot be read, the CMP request is rejected.
If the CMP CGI program was able to determine the issuer distinguished
name, and the request is a revoke request (type rr),
and a serial number was present in the request, the CMP CGI program
does the following processing to determine to which CA domain it routes
the request:
- The CMP CGI program compares the issuer distinguished name that is extracted from the request in string format to the values defined in the _PKISERV_CMP_DOMAIN_ISSUERi environment variables (where i is 1 through the number of CA domains). The comparison is made in the same manner as described in step 1 for cr and p10cr requests. If a match is found for the issuer distinguished name, the CMP CGI continues to step 2. If no match is found, it uses the URL to which the CMP request was sent to determine the CA domain.
- The number (i) of the matching
_PKISERV_CMP_DOMAIN_ISSUERi environment variable
is then used to read the serial number domain name environment variables
_PKISERV_CMP_DOMAIN_FSTSNi_n.
Each _PKISERV_CMP_DOMAIN_FSTSNi_n environment
variable is read, starting with an n value of 1,
and compared to the serial number retrieved from the rr request.
- If there are no _PKISERV_CMP_DOMAIN_FSTSNi_n environment variables that are defined, the domain name is read from the _PKISERV_CMP_DOMAIN_NAMEi_1 environment variable.
- If the serial number is greater than the environment variable
value and less than the next environment variable value (or is the
last environment variable), the domain name is read from the corresponding
_PKISERV_CMP_DOMAIN_NAMEi_n environment variable. Example: An rr request is made by a CMP client specifying an issuer distinguished name of OU=STG, O=IBM, C=US, and the following sample is an excerpt from the defined environment variables:
If the serial number specified in the rr request is 20000 decimal, the revocation request is routed to the STG_CA2 domain because STG_CA2’s first serial number is less than 20000, and the first serial number that is issued by STG_CA3 is greater than 20000._PKISERV_CMP_DOMAIN_ISSUER3= OU=STG, O=IBM, C=US _PKISERV_CMP_DOMAIN_NAME3_1=STG_CA _PKISERV_CMP_DOMAIN_NAME3_2=STG_CA2 _PKISERV_CMP_DOMAIN_NAME3_3=STG_CA3 _PKISERV_CMP_DOMAIN_FSTSN3_1=3 _PKISERV_CMP_DOMAIN_FSTSN3_2=12500 _PKISERV_CMP_DOMAIN_FSTSN3_3=25000