With the current implementation of EJBCA, the ordering of fields in subject DN for newly-issued certificates is performed based on hard-coded order, although it's possible to set it to be X.500 or LDAP order (i.e. just reversing is possible).
It would be nice if it were possible to pass in an extra option during issuance of a certificate via web service that would let the client signal EJBCA to use the order of subject DN fields specified in the request itself. I.e. EJBCA would not try to normalise the subject DN in any way.
All other checks against end entity profile should still be performed, of course.
This way the customers would be able to define their own order based on the requests they send in.
Some guidance on the matter from https://tools.ietf.org/html/rfc5280#section-7.1 :
"Two distinguished names DN1 and DN2 match if they have the same number of RDNs, for each RDN in DN1 there is a matching
RDN in DN2, and the matching RDNs appear in the same order in both DNs."