At several places in the Nexus OCSP Responder configuration, one or more certificates can be pointed out by issuer or subject Distinguished Names (DNs). In essence, it is a "scaled-down" matching that behaves the same as subject or DN behaves in the certificate pattern.
Match against issuer DNs
-
To define the back-end client's URL lookup table:
ocsp.client.urlcheck -
To specify the OCSP response cache contents:
ocsp.cache.contents
Match against subject DNs
To specify authorization settings:
ocsp.<#>.incoming.authorization.match
The matching is performed against the complete DN. Wildcards (* and ?) are allowed in the match pattern.
DN Matching
Example:
cn=Donald Duck
Will not match the certificate with subject cn=Donald Duck,c=US.
DN Matching with wildcard
Example:
*,o=Nexus,c=SE
Will match all DNs that end with o=Nexus,c=SE
Conventions
Nexus OCSP Responder uses the following conventions on string representation of a DN:
-
The relative distuingished names (RDNs) are separated by comma (,).
-
No blanks allowed before or after the RDN separator.
-
A trailing blank in the name itself is shown as "\20".