Currently there is an extension in the EJBCA OCSP responder that fetches a secret from a DB with the SN in the DN of the certificate
This functionality is called UNID (unique ID) lookup.
The secret called FNR is not allowed to be in the certificate for some user integrity reason.
This feature will write FNR mapped to UNID to a DB when certificates are produced by the CMP protocol.
1. The table is assumed to be identical to that of the OCSP UNID/FNR implementation
2. The certificate request is assumed to be performed with CMP
3. The UNID feature is activated through the following settings in "cmp.properties":
cmp.uniddatasource=[as in OCSP]
4. The EJBCA UNID feature is tested through an external JUnit test in the
same way as the OCSP UNID feature.
5. Detailed operation:
- A CMP Certificate Request is performed with KeyId holding a Certificate
Profile with name "pppp-pppp-..."
- The Certificate Request contains a DN serialNumber attribute holding
the ll-digit FNR + 5-digt LRA according to the following:
Subject DN: CN=Alexander Rybak, serialNumber=fffffffffff-lllll, C=NO
- Now EJBCA is supposed to create a random 6-character alphanumeric
string "rrrrrr" and rewrite the Subject DN so that the resulting certificate will be like:
Subject DN: CN=Alexander Rybak, serialNumber=pppp-pppp-lllllrrrrrr, C=NO
In the database FNR is set to "fffffffffff" and UNID to "pppp-pppp-lllllrrrrrr"
UNID is a primary key in the DB to guarantee that it is unique.