Distinguished name matching
At several places in the Nexus OCSP Responder configuration, one or more certificates can be pointed out by issuer or subject Distinguished Names (DNs). In essence, it is a "scaled-down" matching that behaves the same as subject or DN behaves in the certificate pattern.
Match against issuer DNs
To define the back-end client's URL lookup table:
CODEocsp.client.urlcheck
To specify the OCSP response cache contents:
CODEocsp.cache.contents
Match against subject DNs
To specify authorization settings:
ocsp.<#>.incoming.authorization.match
The matching is performed against the complete DN. Wildcards (* and ?) are allowed in the match pattern.
DN Matching
Example:
cn=Donald Duck
Will not match the certificate with subject cn=Donald Duck,c=US.
DN Matching with wildcard
Example:
*,o=Nexus,c=SE
Will match all DNs that end with o=Nexus,c=SE
Conventions
Nexus OCSP Responder uses the following conventions on string representation of a DN:
The relative distuingished names (RDNs) are separated by comma (,).
No blanks allowed before or after the RDN separator.
A trailing blank in the name itself is shown as "\20".