Versions Compared

Old Version 2

changes.mady.by.user IT Stonebranch

Saved on

compared with

New Version Current

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are two client identification methods:

  1. Client Identification#XX.509 Certificate Authentication
  2. Client Identification#Client IP Address Identification

Anchor
X.509 Certificate Authentication
X.509 Certificate Authentication
X.509 Certificate Authentication

...

<ul> <li>
  • C
  • (Country
  • name)
<li>
  • CN
  • (Common
  • name)
<li>
  • L
  • (Locality)
<li>
  • O
  • (Organization)
<li>
  • OU
  • (Organizational
  • Unit)
<li>
  • ST
  • (State)
</ul>

The RDN attributes must be listed in the same order as they are defined in the certificate to be considered matched.
 
A partial DN can be specified. All certificates that have a subject name that matches up to the last RDN are considered a match. This permits a group of certificates to be matched.
 
The RDN attribute values can include pattern matching characters. An asterisk ( * ) matches 0 or more characters and a question mark ( ? ) matches one character.
 
Some example of SUBJECT values are:

<ul> <li> <b>subject
  • subject="C=US,ST=Georgia,O=Acme,CN=Road
  • Runner"
</b> <li> <b>subject
  • subject="C=US,ST=Georgia,O=Acme,CN=Road
  • \*
"</b> <li> <b>subject
  • "
  • subject="C=US,ST=Georgia,O=Acme,CN=Road
  • ?unner"
</b> </ul>

Whether or not an RDN value is case sensitive depends on the format in which the value is stored. The certificate creator has some control over which format is used. All formats except for printableString are case sensitive.

<ul> <li> <b>email
  • email=user1@acme.
com</b> <li> <b>email
  • com
  • email=\*@acme.
com</b> <li> <b>email
  • com
  • email=user?@acme.
com</b> </ul>
  • com

RFC 822 names are not case sensitive.

<ol> <li> <b>dNSName</b> of the <b>subjectAltName</b> extension value. <li> <b>commonName</b>
  1. dNSName of the subjectAltName extension value.
  2. commonName (CN)
  1. RDN
  1. attribute
  1. of
  1. the
<b>subject</b>
  1. subject field's
  1. DN
  1. value.
</ol>

Some example HOSTNAME values are:

<ul> <li> <b>hostname
  • hostname=bigfish.acme.
com</b> <li> <b>hostname
  • com
  • hostname=*.acme.
com<b> </ul>
  • com

The values are not case sensitive.

Criteria

Description

SUBJECT

Matches the X.509 subject field. The subject field is formatted as an X.501 Distinguished Name (DN). A DN is a hierarchical list of attributes referred to as Relative Distinguished Names (RDNs).
 
RDNs are separated with a comma ( , ) by default. If a different separator is required (perhaps one of the RDN values uses a comma), start the DN with the different separator character. Valid separators are slash ( / ), comma ( , ), semicolon ( ; ), and period ( . ).
 
Many RDN values can be used in a DN. Some of the most common values are:

Html bobswift
Html bobswift

EMAIL

Matches the X.509 emailAddress attribute of the subject field and rfc822Name of the subjectAltName extension value. Both fields format the email address as an RFC 822 addr-spec in the form of identifier@domain.
 
The attribute values may include pattern matching characters. An asterisk ( * ) matches 0 or more characters and a question mark ( ? ) matches one character.
 
Some example EMAIL values are:

Html bobswift

HOSTNAME

Matches the following X.509 fields in the order listed:

Html bobswift
Html bobswift

IPADDRESS

Matches the X.509 iPAddress field of the subjectAltName extension value.
 
An example IPADDRESS value is:

  • ipaddress=10.20.30.40

SERIALNUMBER

Matches the X.509 serialNumber value.
 
The value can be specified in a hexadecimal format by prefixing the value with 0x or 0X, otherwise, the value is considered a decimal format. For example, the value 0x016A392E7F would be considered a hexadecimal format.
 
An example SERIALNUMBER value is:

  • serialnumber=0x7a2d52cbae

...