CA not respecting DN order with SerialNumber

[hoihochan]

Hello,

We created a CA with the following sample DN:

C=US, O=Foobar, CN=TEST CA, SerialNumber=1

We un-checked the LDAP DN order and set "Signed By" to "External CA" so we can generate a CSR to be signed by an external CA.

However the CSR is not following the desired DN order after decoding it from OpenSSL:

Subject: C=US, O=Foobar, serialNumber=1, CN=TEST CA

Both openssl req and openssl asn1parse yield the same issue - is there a way to do a custom DN order when it is going to be signed by an external CA?

[primetomas]

I don't think this is possible, if you didn't get it working. But the subject DN in the request should not matter as the issuing CA should set the correct DN when issuing the certificate. A CA should not just copy-past the DN and extensions from a request, that's dangerous for compliance mistakes. All (that we know of) CAs are able to set the proper values on certificates issued. Albeit it has been common for ADCS Root CA to be configured to just copy-past from the request, ADCS can be configured to set the values that the Root CA actually wants.

Therefore the CSR from EJBCA is pretty basic, it doesn't really matter.

Having said that, I would agree that it would be natural for the CSR to follow the DN order configured in the certificate profile selected.
It seems to be this line: https://github.com/Keyfactor/ejbca-ce/blob/main/modules/cesecore-x509ca/src/org/cesecore/certificates/ca/X509CAImpl.java#L1076

There is a version of DnComponents.stringToBcX500Name that also takes a "final String[] order" parameter.

[hoihochan]

We are using EJBCA 7.3.1.1 Enterprise (33903) - do you know if there will be an actual fix?

[primetomas]

That’s an awfully old version. You should always update to the latest before testing any issues. There will not be any updates to 7.x or 8.x.
if you are using Enterprise you should open a support ticket with Keyfactor btw, this is a channel for best effort Community support.