Re: Certification Authority's Database

Thu, 17 Nov 2011 05:58:35 -0800 

The coupling between DN's in certificates and DN's in LDAP is a
historical accident caused by the X.509 certificate format originally
being intended only for X.500 directories (the kind accessed with LDAP).

This history also assumed that there would be only one, distributed,
worldwide X.500 directory whose initial content would be the phone
books from all the worlds phone companies (hence the name "directory"
and the focus on a country-state-city-neighborhood-street-company-name
tagged format).

Most public CAs work as follows:

1. The primary database of issued certificates is based on the
certificate serial number, and holds both the certificate and various
hidden information, such as revocation passwords and links to a
traditional business customer database.

2. Because most modern uses of X.509 only inspect the CN field in the
DN, and the similar data in Subject Alternative Names, CAs also
index their database by those values to make sure they don't issue
certificates for the same server or e-mail address to multiple customers.
(It is sometimes practical for a single customer to get multiple valid
certificates for their own name, e.g. if they use redundant servers,
and CAs are happy to charge for this service).

The only major system I know that still uses X.509 DNs to refer to
DNs in an LDAP directory is the Windows Server "Enterprise CA"
feature, which issues certificates for entries in an associated
"Active Directory" LDAP database (for smart card login etc.)


On 11/17/2011 2:27 PM, sandeep kiran p wrote:

Hi,
A quick question. Does the SubjectName in a certificate really need point to an LDAP DN in a X500 Directory that a CA uses or do CAs manage the SubjectName DNs without actually using any sort of Directory? I want to know whether it is a general practice for CAs not to maintain any LDAP Directories when issuing certificates with DNs. If it does not use DNs from an LDAP directory, how does the CA maintain a hierarchy for the SubjectName DNs it issues?
If it is not done through a Directory, how does a CA maintain the list of certificates it issues to a particular Subject. Will it just be file system based storage? 

Thanks
Sandeep




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to