A special syntax called "certificate pattern" is used when referring to a particular certificate in the configuration file (see "Specify keys" in Key management section.) The certificate pattern syntax is based on the LDAP search filter syntax, with the operator placed before the argument list and each argument enclosed in parentheses.
A simple pattern is of the form <key>=<value>
. The value
may contain wild cards (* or ?). See also Distinguished name matching.
The key
refers to a Relative Distinguished Name (RDN) of the subject. If Nexus OCSP Responder is able to find such an RDN, <value>
will be matched against this one. Otherwise, the check will result in "false
".
For certain keys, the match will be performed as follows:
Key | Certificate information match |
---|
issuer
| <value> is matched against the full Issuer Distinguished Name. |
subject | <value> is matched against the full Subject Distinguished Name. |
dn | Equivalent to "subject ". |
serialNumber | <value> is compared to the certificate serial number. You may use decimal or hexadecimal notation. Hexadecimal notation shall begin with 0x. |
keyUsage | <value> is compared by name to the flags that are set in the certificate's Key Usage extension. The names of the flags are:
digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement keyCertSign cRLSign encipherOnly decipherOnly
|
Several patterns can optionally be grouped together to produce complex patterns. The following operators are supported:
Operator | Example |
---|
And | &(<pattern 1>)(<pattern 2>) ... |
Or | |(<pattern 1>)(<pattern 3>)... |
Not | <pattern4>) |
Example 1:
Find all certificates issued to John Doe:
Example 2:
Find John Doe's certificate(s) issued by Acme CA:
CODE
&(cn=John Doe)(issuer=cn=Acme CA,o=Acme Inc.,c=NL)
Example 3:
The following two searches are equivalent:
CODE
&(cn=JohnDoe)(|(keyusage=keyencipherment)(keyusage=dataencipherment))
&(subject=*cn=John Doe,*)(keyusage=*cipherment)