X509 Certificate: Identity of DN (Distinguished Names)

Question

I use keytool to create an x509 certificate with this subject:

CN=alice, OU=Demo Client, O=myCompany, L=Site1, ST=wll, C=nz

But after I create a CSR and get the entry signed (I use "openssl ca") my "O" and "L" are suddenly reversed:

CN=alice, OU=Demo Client, L=Site1, O=myCompany, ST=wll, C=nz

Are the both subjects still considered the same? Or is the order important?

Answer 1

They may or may not be the same, depending on how the Subject Distinguished Name (DN) is encoded in the CSR and the certificate. The DN is defined as the X.501 type Name. From RFC 5280:

   Name ::= CHOICE { -- only one possibility for now --
     rdnSequence  RDNSequence }

   RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

   RelativeDistinguishedName ::=
     SET SIZE (1..MAX) OF AttributeTypeAndValue

   AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

   AttributeType ::= OBJECT IDENTIFIER

   AttributeValue ::= ANY -- DEFINED BY AttributeType

The distinguishedNameMatch rule is defined in RFC 5280 section 7.1 (emphasis mine):

Two naming attributes match if the attribute types are the same and the values of the attributes are an exact match after processing with the string preparation algorithm. Two relative distinguished names RDN1 and RDN2 match if they have the same number of naming attributes and for each naming attribute in RDN1 there is a matching naming attribute in RDN2. Two distinguished names DN1 and DN2 match if they have the same number of RDNs, for each RDN in DN1 there is a matching RDN in DN2, and the matching RDNs appear in the same order in both DNs. A distinguished name DN1 is within the subtree defined by the distinguished name DN2 if DN1 contains at least as many RDNs as DN2, and DN1 and DN2 are a match when trailing RDNs in DN1 are ignored.

If the Organization (O) and Location (L) attributes appear in the same Relative Distinguished Name set in the Subject DN of both the CSR and the certificate, then all else being equal, the DNs are equal. If they are in different RDNs, then the order of the RDNs has been changed, making the DNs different.