Certificates DN

certificatecertificate-authority

I have few questions related to DN in Certificates,

Is it possible for multiple users certificates to have same DN issued by
same CA? Also, is it ok for one user to have multiple certificates with same
DN and same validity?
Is it possible to include CA related information (serial number, name or id etc) in some attribute of user certificate DN in case we have multiple CAs? e.g. cn=user001,ou=SSL,ou=001,o=DS,c=US. If yes then which attribute we can use for it?

If possible please provide name or link to the RFC / standard for further guidance.

Thank you

Best Answer

Yes. You can issue certificates with the same DN, but such certificates should belong to the same user. According to RFC5280, section 4.1.2.6:

Where it is non-empty, the subject field MUST contain an X.500 distinguished name (DN). The DN MUST be unique for each subject entity certified by the one CA as defined by the issuer field. A CA MAY issue more than one certificate with the same DN to the same subject entity.

Though it is possible, but I don't think what you suggested is the best way. Every certificate must contain an "issuer" field, which must be non-empty, and must contain a DN (see section 4.1.2.4 of the aformentioned RFC), which should unambiguously identify the CA (it can contain a serialNumber field, for example). In addition to this, you can include any kind of information about the signer certificate in the authority key identifier extension, so that is the place for arbitrary attributes.

Related Solutions

Apache – Configuring SSL VirtualHosts on a Single IP with UCC/SAN Certificate

I tested this on my apache 2.2.14 instance and it worked fine:

Use the NameVirtualHost directive (to ports.conf):

NameVirtualHost *:443

define your vhosts:

<VirtualHost *:443>
  ServerName www.siteA.com
  DocumentRoot "/opt/apache22/htdocs/siteA"
  SSLCertificateFile "/path/to/my/cert"
  SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>
<VirtualHost *:443>
  ServerName www.siteB.com
  DocumentRoot "/opt/apache22/htdocs/siteB"
  SSLCertificateFile "/path/to/my/cert"
  SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>

I used this link as a resource.

Why does Windows CA Server issue multiple certificates for the same user

I'm going to hypothesize that you're not using Roaming User Profiles, AppData Folder Redirection, or Credential Roaming in your environment. These features would allow the users' certificates to "follow" them as they move between computers. Because you're not using any of these features it's necessary for new certificates to be created. The old certificates can't be "re-issued" because the private key isn't present on the subsequent computer that the user is using.

I'd read-up on the three methods for "roaming" credentials between client computers to see which one will work best in your environment.

Best Answer

Related Solutions

Apache – Configuring SSL VirtualHosts on a Single IP with UCC/SAN Certificate

Why does Windows CA Server issue multiple certificates for the same user

Related Topic