Currently (as of 4.2), the client certificate for authorized clients are matched by certificate serial number and issuer DN.
This means that the rule has to be updated everytime the client has a certificate renewal as there would be a new certificate serial number.
In many setups it would be more convenient to instead match the rule by some part of the subject DN. Examples are for instance serial number in DN or Common Name.
See also in EJBCA where there is the option to instead of using the certificate serial number do the match by one of the most commonly used DN components.
See linked ticket for additional background and requirements gathering.
- Old commands still supported but if the new commands are being used the 'matchSubjectWithType' will be seen as serial number and the issuer DN as the rest of the CertificateMatchingRule.toStringRepresentation()
- New operations should be added to the AdminWS interface for more easily manage the authorization rules. In the short-term the toStringRepresentation format could be documented and the old operations used.
- Not supported but should not break completely: A user only using the AdminGUI can continue to use that but can only add certSerialNo and issuer DN as before.
- If the new AdminCLI commands or AdminWeb is used to add a admin or client entry it will show up in the GUI with matchSubjectWithType as serialNumber and the rest of the CertificateMatchingRule.toStringRepresentation() in the Issuer DN field.