2.9. Managing Subject Names and Subject Alternative Names

The subject name of a certificate is a distinguished name (DN) that contains identifying information about the entity to which the certificate is issued. This subject name can be built from standard LDAP directory components, such as common names and organizational units. These components are defined in X.500. In addition to — or even in place of — the subject name, the certificate can have a subject alternative name, which is a kind of extension set for the certificate that includes additional information that is not defined in X.500.
The naming components for both subject names and subject alternative names can be customized.

Important

If the subject name is empty, then the Subject Alternative Name extension must be present and marked critical.

2.9.1. Using the Requester CN or UID in the Subject Name

The cn or uid value from a certificate request can be used to build the subject name of the issued certificate. This section demonstrates a profile that requires the naming attribute (CN or UID) being specified in the Subject Name Constraint to be present in the certificate request. If the naming attribute is missing, the request is rejected.
There are two parts to this configuration:
  • The CN or UID format is set in the pattern configuration in the Subject Name Constraint.
  • The format of the subject DN, including the CN or UID token and the specific suffix for the certificate, is set in the Subject Name Default.
For example, to use the CN in the subject DN:
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,DC=example, DC=com
In this example, if a request comes in with the CN of cn=John Smith, then the certificate will be issued with a subject DN of cn=John Smith,DC=example, DC=com. If the request comes in but it has a UID of uid=jsmith and no CN, then the request is rejected.
The same configuration is used to pull the requester UID into the subject DN:
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=UID=[^,]+,.+
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=UID=$request.req_subject_name.uid$,DC=example, DC=com

2.9.2. Inserting LDAP Directory Attribute Values and Other Information into the Subject Alt Name

Information from an LDAP directory or that was submitted by the requester can be inserted into the subject alternative name of the certificate by using matching variables in the Subject Alt Name Extension Default configuration. This default sets the type (format) of information and then the matching pattern (variable) to use to retrieve the information. For example:
policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
policyset.userCertSet.8.default.name=Subject Alt Name Constraint
policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.mail
policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
This inserts the requester's email as the first CN component in the subject alt name. To use additional components, increment the Type_, Pattern_, and Enable_ values numerically, such as Type_1.
Configuring the subject alt name is detailed in Section B.1.23, “Subject Alternative Name Extension Default”, as well.
To insert LDAP components into the subject alt name of the certificate:
  1. Inserting LDAP attribute values requires enabling the user directory authentication plug-in, UidPwdDirAuth.
    1. Open the CA Console.
      pkiconsole https://server.example.com:8443/ca
    2. Select Authentication in the left navigation tree.
    3. In the Authentication Instance tab, click Add, and add an instance of the UidPwdDirAuth authentication plug-in.
    4. Set the information for the LDAP directory.
    5. Set the LDAP attributes to populate.
    6. Save the new plug-in instance.
    For information on configuring the LDAP authentication modules, see Section 8.2.1, “Setting up Directory-Based Authentication”.
  2. When the new authentication plug-in is added, the corresponding parameters are added to the CA's CS.cfg file. For example, this instance of the UidPwdDirAuth plug-in is set to populate the mail attribute:
     ...
     auths.instance.UserDirEnrollment.dnpattern=
     auths.instance.UserDirEnrollment.ldapByteAttributes=
     auths.instance.UserDirEnrollment.ldapStringAttributes=mail  
     auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
     auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=com
     auths.instance.UserDirEnrollment.ldap.maxConns=
     auths.instance.UserDirEnrollment.ldap.minConns=
     auths.instance.UserDirEnrollment.ldap.ldapconn.host=localhost
     auths.instance.UserDirEnrollment.ldap.ldapconn.port=389
     auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false...
    The ldapStringAttributes parameter instructs the authentication plug-in to read the value of the mail attribute from the user's LDAP entry and put that value in the certificate request. When the value is in the request, the certificate profile policy can be set to insert that value for an extension value.
    The format for the dnpattern parameter is covered in Section B.2.11, “Subject Name Constraint” and Section B.1.27, “Subject Name Default”.
  3. To enable the CA to insert the LDAP attribute value in the certificate extension, edit the profile's configuration file, and insert a policy set parameter for an extension. For example, to insert the mail attribute value in the Subject Alternative Name extension in the caDirUser profile, do the following:
    cd /var/lib/pki/instance_name/ca/profiles/ca/
    
    vi caDirUserCert.cfg
    
    policyset.setID.8.default.params.subjAltExtPattern_0=$request.auth_token.mail[0]$
  4. Restart the CA.
    systemctl restart pki-tomcatd@instance-name.service
For this example, certificates submitted through the caDirUser profile enrollment form will have the Subject Alternative Name extension added with the value of the requester's mail LDAP attribute. For example:
Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no
    Value:
    RFC822Name: jsmith@example.com
There are many attributes which can be automatically inserted into certificates by being set as a token ($X$) in any of the Pattern_ parameters in the policy set. The common tokens are listed in Table 2.5, “Variables Used to Populate Certificates”, and the default profiles contain examples for how these tokens are used.

Table 2.5. Variables Used to Populate Certificates

Policy Set Token Description
$request.auth_token.cn[0]$ The LDAP common name (cn) attribute of the user who requested the certificate.
$request.auth_token.mail[0]$ The value of the LDAP email (mail) attribute of the user who requested the certificate.
$request.auth_token.tokencertsubject$ The certificate subject name.
$request.auth_token.uid$ The LDAP user ID (uid) attribute of the user who requested the certificate.
$request.auth_token.userdn$ The user DN of the user who requested the certificate.
$request.auth_token.userid$ The value of the user ID attribute for the user who requested the certificate.
$request.uid$ The value of the user ID attribute for the user who requested the certificate.
$request.requestor_email$ The email address of the person who submitted the request.
$request.request_name$ The person who submitted the request.
$request.upn$ The Microsoft UPN. This has the format (UTF8String)1.3.6.1.4.1.311.20.2.3,$request.upn$.
$server.source$ Instructs the server to generate a version 4 UUID (random number) component in the subject name. This always has the format (IA5String)1.2.3.4,$server.source$.
$request.auth_token.user$ Used when the request was submitted by TPS. The TPS subsystem trusted manager who requested the certificate.
$request.subject$ Used when the request was submitted by TPS. The subject name DN of the entity to which TPS has resolved and requested for. For example, cn=John.Smith.123456789,o=TMS Org

2.9.3. Changing DN Attributes in CA-Issued Certificates

In certificates issued by the Certificate System, DNs identify the entity that owns the certificate. In all cases, if the Certificate System is connected with a Directory Server, the format of the DNs in the certificates should match the format of the DNs in the directory. It is not necessary that the names match exactly; certificate mapping allows the subject DN in a certificate to be different from the one in the directory.
In the Certificate System, the DN is based on the components, or attributes, defined in the X.509 standard. Table 2.6, “Allowed Characters for Value Types” lists the attributes supported by default. The set of attributes is extensible.

Table 2.6. Allowed Characters for Value Types

Attribute Value Type Object Identifier
cn DirectoryString 2.5.4.3
ou DirectoryString 2.5.4.11
o DirectoryString 2.5.4.10
c PrintableString , two-character 2.5.4.6
l DirectoryString 2.5.4.7
st DirectoryString 2.5.4.8
street DirectoryString 2.5.4.9
title DirectoryString 2.5.4.12
uid DirectoryString 0.9.2342.19200300.100.1.1
mail IA5String 1.2.840.113549.1.9.1
dc IA5String 0.9.2342.19200300.100.1.2.25
serialnumber PrintableString 2.5.4.5
unstructuredname IA5String 1.2.840.113549.1.9.2
unstructuredaddress PrintableString 1.2.840.113549.1.9.8
By default, the Certificate System supports the attributes identified in Table 2.6, “Allowed Characters for Value Types”. This list of supported attributes can be extended by creating or adding new attributes. The syntax for adding additional X.500Name attributes, or components, is as follows:
X500Name.NEW_ATTRNAME.oid=n.n.n.n
X500Name.NEW_ATTRNAME.class=string_to_DER_value_converter_class
The value converter class converts a string to an ASN.1 value; this class must implement the netscape.security.x509.AVAValueConverter interface. The string-to-value converter class can be one of the following:
  • netscape.security.x509.PrintableConverter converts a string to a PrintableString value. The string must have only printable characters.
  • netscape.security.x509.IA5StringConverter converts a string to an IA5String value. The string must have only IA5String characters.
  • netscape.security.x509.DirStrConverter converts a string to a DirectoryString. The string is expected to be in DirectoryString format according to RFC 2253.
  • netscape.security.x509.GenericValueConverter converts a string character by character in the following order, from the smallest characterset to the largest:
    • Printable
    • IA5String
    • BMPString
    • Universal String
An attribute entry looks like the following:
X500Name.MY_ATTR.oid=1.2.3.4.5.6
X500Name.MY_ATTR.class=netscape.security.x509.DirStrConverter

2.9.3.1. Adding New or Custom Attributes

To add a new or proprietary attribute to the Certificate System schema, do the following:
  1. Stop the Certificate Manager.
    systemctl stop pki-tomcatd@instance-name.service
  2. Open the /var/lib/pki/cs_instance/conf/ directory.
  3. Open the configuration file, CS.cfg.
  4. Add the new attributes to the configuration file.
    For example, to add three proprietary attributes, MYATTR1 that is a DirectoryString, MYATTR2 that is an IA5String, and MYATTR3 that is a PrintableString, add the following lines at the end of the configuration file:
    X500Name.attr.MYATTR1.oid=1.2.3.4.5.6
    X500Name.attr.MYATTR1.class=netscape.security.x509.DirStrConverter
    X500Name.attr.MYATTR2.oid=11.22.33.44.55.66
    X500Name.attr.MYATTR2.class=netscape.security.x509.IA5StringConverter
    X500Name.attr.MYATTR3.oid=111.222.333.444.555.666
    X500Name.attr.MYATTR3.class=netscape.security.x509.PrintableConverter
    
  5. Save the changes, and close the file.
  6. Restart the Certificate Manager.
    systemctl start pki-tomcatd@instance-name.service
  7. Reload the enrollment page and verify the changes; the new attributes should show up in the form.
  8. To verify that the new attributes are in effect, request a certificate using the manual enrollment form.
    Enter values for the new attributes so that it can be verified that they appear in the certificate subject names. For example, enter the following values for the new attributes and look for them in the subject name:
    MYATTR1: a_value
    MYATTR2: a.Value
    MYATTR3: aValue
    cn: John Doe
    o: Example Corporation
    
  9. Open the agent services page, and approve the request.
  10. When the certificate is issued, check the subject name. The certificate should show the new attribute values in the subject name.

2.9.3.2. Changing the DER-Encoding Order

It is possible to change the DER-encoding order of a DirectoryString, so that the string is configurable since different clients support different encodings.
The syntax for changing the DER-encoding order of a DirectoryString is as follows:
X500Name.directoryStringEncodingOrder=encoding_list_separated_by_commas
The possible encoding values are as follows:
  • Printable
  • IA5String
  • UniversalString
  • BMPString
  • UTF8String
For example, the DER-encoding ordered can be listed as follows:
X500Name.directoryStringEncodingOrder=Printable,BMPString
To change the DirectoryString encoding, do the following:
  1. Stop the Certificate Manager.
    systemctl stop pki-tomcatd@instance-name.service
  2. Open the /var/lib/pki/cs_instance/conf/ directory.
  3. Open the CS.cfg configuration file.
  4. Add the encoding order to the configuration file.
    For example, to specify two encoding values, PrintableString and UniversalString, and the encoding order is PrintableString first and UniversalString next, add the following line at the end of the configuration file:
    X500Name.directoryStringEncodingOrder=PrintableString, UniversalString
    
  5. Save the changes, and close the file.
  6. Start the Certificate Manager.
    systemctl start pki-tomcatd@instance-name.service
  7. To verify that the encoding orders are in effect, enroll for a certificate using the manual enrollment form. Use John_Doe for the cn.
  8. Open the agent services page, and approve the request.
  9. When the certificate is issued, use the dumpasn1 tool to examine the encoding of the certificate.
    The cn component of the subject name should be encoded as a UniversalString.
  10. Create and submit a new request using John Smith for the cn.
    The cn component of the subject name should be encoded as a PrintableString.