Digital Certificates › Certificate Name Filtering Support › Init ACEE Changes for Search Sequence › Search Sequence Scenario

Search Sequence Scenario

In this example, the following records exist and all are trusted. They are listed in the order in which they are grouped in the search table.

CERTMAP(MAP001) ACID(NJDEPT1)
IDNFILTR(OU=Verisign Class 1 Individual Subscriber.O=Verisign,Inc.L=Internet)
SDNFILTR(OU=DEPT1.OU=NJ.OU=Sales.O=ABC Co)

CERTMAP(MAP002) ACID(NJDEPTX)
IDNFILTR(O=Verisign,Inc.L=Internet)
SDNFILTR(OU=Sales.O=ABC Co)

CERTMAP(MAP003) ACID(NYDEPT2)
SDNFILTR(OU=DEPT2.OU=NY,OU=Sales.O=ABC Co)

CERTMAP(MAP004) ACID(NYDEPT3)
SDNFILTR(OU=DEPT3.OU=NY,OU=Sales.O=ABC Co)

CERTMAP(MAP005) ACID(ABCDEPT)
SDNFILTR(OU=Sales.O=ABC Co)

CERTMAP(MAP006) ACID(ABCTECH)
SDNFILTR(OU=R&D.O=ABC Co)

CERTMAP(MAP007) ACID(MULTIID)
IDNFILTR(O=Verisign,Inc.L=Internet)
CRITERIA(CNFAPP=&CNFAPP)

CRITMAP(CRT001) ACID(ABCCUST)
CNFAPP(ABCINET)

CRITMAP(CRT002) ACID(ABCDFLT)
CNFAPP(*)

A certificate is presented by a user whose distinguished name is: CN=Bill,OU=Dept4,OU=PA,OU=Sales,O=ABC Co. The issuer's distinguished name contains information that is not VeriSign. The process to search for this certificate is:

• The first two entries do not match-the section ends without an IDNF.
• Loop through the SDNFs checking for a match.
• Take off the CN from the certificate distinguished name and compare the rest of the certificate distinguished name against the SDNF.
• The sections starting with OU=Dept4 and OU=PA do not match.
• The section starting with OU=Sales matches and the ABCDEPT ACID is assigned.

A user presents a certificate issued by VeriSign but not for ABC Co. There is a match on CERTMAP MAP007, based on the IDNF information. Then search the CRITMAP records for a matching CNFAPP. If the CNFAPP was ABCINET, then ACID ABCCUST is assigned. All other applications are assigned the default ACID ABCDFLT.