Definition

In the default configuration, the filter for certificate issuer evaluates the attributes and their values in strict order from back to front. For example, a rule using the filter "C=DE, O=SAP" expects the issuer field of the certificate to include these two entries with C=DE in the second to last position and O=SAP is the final position. If this is not the case, the rule does not apply to the certificate.

Use this option to lift this restriction on the position and order in which these attributes appear in the issuer field. In most cases, certification authorities (CA) do not vary the order of the attributes in their issuer name. This option then ignores the position in which the attributes appear and only applies if the attributes and values match.

Example

Assume a filter with the following values: "C=DE, O=SAP" (The rule expects attribute C in the second to last position and the attribute O in the last postion)

·    Certificate issuer 1: "CN=User, C=DE"

The rule does not apply because O=SAP is missing.

·    Certificate issuer 2: "CN=User, C=DE, O=SAP AG"

The rule applies since the attributes C and O match and are in the correct order.

·    Certificate issuer 3: " O=SAP AG, C=DE, CN=User"

The rule does not apply since attributes C and O are not in the last and second to last positions in the issuer name, despite the fact that the values match.

If you activate this option, the second and third examples apply, because the rule is only checking that the attributes exist and that their values match. Order and position in the issuer name are irrelevant. The first example still does not apply since the O attribute is missing.