Fermilab Computing Division
Search

Kerberos CA Distinguished Names

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access

X.509 certificates identify both the Subject of the certificate (the issuee) and the issuing authority (Certificate Authority) by Distinguished Names (DN). Certficates issued by a CA are guaranteed to have unique DNs. The KCA issues certificates with Subject DNs such as:

/DC=gov/DC=fnal/O=Fermilab/OU=People/CN=Frank J. Smith/UID=smith

where the extra field (called an OID or Object IDentifier) of /UID lists the username portion of the Kerberos principal.  The KCA Issuer DNs (the DN for the KCA's certificate) are of the form:

/DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA
Using the established procedures to run Kerberized cron jobs under Linux/UNIX (see 10.3 Automated Processes) and requesting a KCA certificate in the cron job will result in a slightly different Subject DN:

/DC=gov/DC=fnal/O=Fermilab/OU=Robots/CN=cron/CN=Frank J. Smith/UID=smith

Notice that /OU=People OID has been replaced by a the /OU=Robots/CN=cron OID to inidicate the that the certificate was issued to an automated process.

Caution: Text Interpretation of OIDs
OIDs are stored in certificates as numbers (in binary). They are interpreted and displayed as text for user convienence by various utilities which may differ in this interpretation. In particular, the /UID is particularly prone to different display interpretations, from being show as a numeric value to being displayed in the form /UserID . Current versions of OpenSSL (0.9.7 and later) seem to agree on displaying this OID as /UID . You can check your OpenSSL version with the command:
openssl version

A translation list from the Kerberos principal username to the KCA Subject Distinguished Name is available. You must have a KCA or DOEGrids certificate to access the list. Any scripts for automatically processing this list should ignore any lines which begin with "#" as a comment line. A second translation list is also available for KCA DNs in certificates gotten by cron/kcron jobs.
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)