Not able to apply a DN order when creating subCA to be signed by external CA

[younid]

Hello,

Could you please help to create a CSR file for my sub CA to signed by an external CA ?
My problem is that I must create a CSR with specific DN order to get it signed by the authority I use.

I created the sub CA inside my EJBCA (6.5.0.5) and defined it as signed by an external CA.
I putted the subject DN with fields I need and the correct order that the authority is asking.
When I click on the button "Make Certificate Request" I get a CSR file with all information I provided by the order as changed.

Order I set : C, O, OU, CN, DC
Order I get : C, DC, O, OU, CN

How can I have this order kept for the CSR generation ?
Is there any step I missed ?

Thanks in advance for your help.

Regards

[primetomas]

No you are correct, any custom DN order does not apply to CSRs created by a CA. The issuing CA is able to issue the certificate just as they want, and is not relying on the CSR.
This typically arises then the external CA is a MS CA (ADCS), and it's believed that the ADCS can only issue exactly what is in the CSR. That is not so however, you can use modules in ADCS so it issues what it want to issue (the issuing CA sets the rules).

[younid]

Hello @primetomas,

Happy new year and thank you for your answer.

Can I ask if there's a way to force this order into CSR files?
For example, is it possible when using CLI or some other tool?

I'm asking that because we are in front of a signing authority which rejects all CSR files without its correct DN order.

Regards,
Younid

[primetomas]

That is a very stupid signing authority.
Assuming that you use an HSM, you can create a CSR directly with HSM tools, or openssl or something like that. THe CSR does not have to be created from EJBCA, as long as it is by the CAs signing key, and uses the correct DN (regardless of order).

[fco-code-org]

Hello,
Just to be sure to understand.
We create a Sub CA using the EJBCA GUI.
In this EJBCA GUI page, we provide a DN with a dedicated order and we click on Make Certificate Request button.

The question is : would the CSR generated be using the same DN order that the one set in the GUI (C, O, OU, CN and DC)?

You talked about custom DN order what do you mean by that ?
The DN order we want to have in the CSR is: C, O, OU, CN and DC

Best Regards.

[primetomas]

When you create a CSR in the EJBCA UI the order will be defined by EJBCA internally. CN, OU, O, DC, C; or reverse C, DC, O, OU, CN if you like.

The issuing CA may issue the certificate with whatever order it wants though, it does not have to match the order in the CSR create by EJBCA.

I'm curious, to get the full picture:

• what is the use case for which you need a specific DN order? That is uncommon these days.
• it is also uncommon to use DC in CA certificates what is the use case for that?
• are you using an HSM? In which case there should be an easy workaround

In principle, you can define any custom DN order you like in EJBCA for certificates. In Certificate Profile->Custom Subject DN Order. Unfortunately, this does not apply the CSRs generated in the UI. CA->LDAP DN order applies (reversing the order), but not Custom Subject DN Order. It would make sense to also apply "Custom Subject DN Order" to the CSrs generated, but unfortunately it is not so currently. That would be a code change needed (albeit small).

[fco-code-org]

Hello,

So if I have well understood you, whatever the Subject DN order we set in the EJBCA GUI, for CSR generation the subject DN order is either CN, OU, O, DC and C or C, DC, O, OU and CN, right ?

"what is the use case for which you need a specific DN order? That is uncommon these days."
Unfortunately, the CA company to issue a certificate thanks to a CSR requires a specific order which is C, O, OU, CN and DC :-(

"it is also uncommon to use DC in CA certificates what is the use case for that?"
This is mandatory as per Certificate policy of the CA issuing the certicate thanks to a CSR

"are you using an HSM?"
Yes we are curently investigating this track.

Best Regards.

[primetomas]

Thank you. For the first question. Correct.

I guess you would not be able to share what CA it is? In private messaging? I would like to evaluate if it's worth adding this feature to EJBCA.

Regards,
Tomas