Definition

In the default configuration, the filter for certificate subject evaluates the attributes and their values in strict order from back to front. For example, a rule using the filter "C=DE, O=SAP" expects the subject field of the certificate to include these two entries with C=DE in the second to last position and O=SAP is the final position. If this is not the case, the rule does not apply to the certificate.

Use this option to lift this restriction on the position and order in which these attributes appear in the subject field. In most cases, certification authorities (CA) do not vary the order of the attributes in the subject names. This option then ignores the position in which the attributes appear and only applies if the attributes and values match.

Example

Assume a filter with the following values: "C=DE, O=SAP" (The rule expects attribute C in the second to last position and the attribute O in the last position)

·    Certificate subject 1: "CN=User, C=DE"

The rule does not apply because O=SAP is missing.

·    Certificate subject 2: "CN=User, C=DE, O=SAP AG"

The rule applies since the attributes C and O match and are in the correct order.

·    Certificate subject 3: "O=SAP AG, C=DE, CN=User"

The rule does not apply since attributes C and O are not in the last and second to last positions in the subject name, despite the fact that the values match.

If you activate this option, the second and third examples apply, because the rule is only checking that the attributes exist and that their values match. Order and position in the subject name are irrelevant. The first example still does not apply since the O attribute is missing.