At several places in the Nexus OCSP Responder configuration, one or more certificates can be pointed out by issuer or subject Distinguished Names (DNs). In essence, it is a "scaled-down" matching that behaves the same as subject or DN behaves in the certificate pattern.
...
Match against issuer DNs
To define the back-end client's URL lookup table:
Code Block ocsp.client.urlcheckTo specify the OCSP response cache contents:
Code Block ocsp.cache.contents
...
Match against subject DNs
To specify authorization settings:
| Code Block |
|---|
ocsp.<#>.incoming.authorization.match |
The matching is performed against the complete DN. Wildcards (* and ?) are allowed in the match pattern.
DN Matching
Example:
| Code Block | ||
|---|---|---|
| ||
cn=Donald Duck |
Will not match the certificate with subject cn=Donald Duck,c=US.
...
DN Matching with wildcard
Example:
| Code Block | ||
|---|---|---|
| ||
*,o=Nexus,c=SE |
Will match all DNs that end with o=Nexus,c=SE
Conventions
Nexus OCSP Responder uses the following conventions on string representation of a DN:
The relative distuingished names (RDNs) are separated by comma (,).
No blanks allowed before or after the RDN separator.
A trailing blank in the name itself is shown as "\20".