Search fields and recommendations
We recommend these criteria for LDAP requests:
User certificate queries: Empty (“”) base DN, with search filters to find certificates.
CA certificate queries: Base DN contains the subject DN or CN of the CA certificate, with no search filters.
Basic attributes
Table 1. Certificate attributes
Attribute | Can use in request? | Returned in response? |
|---|---|---|
cn, commonName | yes | yes |
dn | yes | yes |
mail, rfc822mailbox | yes | yes |
o, organizationName | yes | yes |
ou, organizationalUnitName | yes | yes |
Table 2. Directory class attributes
Attribute | Can use in request? | Returned in response? |
|---|---|---|
objectclass | yes | yes |
Table 3. Base64 attributes
Attribute | Can use in request? | Returned in response? |
|---|---|---|
usercertificate;binary | yes | yes |
cacertificate;binary | no | yes |
certificaterevocationlist;binary | no | yes |
Default user search response
These are the default fields returned by the LDAP user certificate search:
dn
mail
cn
o
ou
objectclass
userCertificate;binary
Default CA search response
These are the default fields returned by the LDAP CA certificate search:
dn
mail
cn
o
ou
objectclass
cacertificate;binary
certificaterevocationlist;binary (if available)
User certificate sample response
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: cn=TestUser1 # requesting: ALL # # dn: mail=testuser@yopmail.com,cn=TestUser1,ou=Ldap Test Unit,o=Digicert mail: testuser@yopmail.com cn: TestUser1 o: Digicert ou: Ldap Test Unit objectClass: pkiUser objectClass: pkiUserData userCertificate;binary:: MIIERjCCAy6gAwIBAgIUB1cm4/W4kcDhVxDha++yTGtLKHcwDQYJK oZIhvcNAQELBQAwga4xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCU JlbmdhbHVydTEPMA0GA1UEERMGNTYwMTAzMQswCQYDVQQJEwI4QjERMA8GA1UEChMIRGlnaWNlcnQ xFzAVBgNVBAsTDkxEQVAgVGVzdCBVbml0MRUwEwYDVQQLEwxEaWdpY2VydCBCTFIxFjAUBgNVBAMT DUxEQVAgVGVzdCBpY2EwHhcNMjIwODI5MDYwODM4WhcNMzAxMTE1MDYwODM4WjBvMRYwFAYDVQQDD A10ZXN0dXNlckQ8YXRhMRswGQYDVQQKDBJEaWdpY2VydCBCYW5nYWxvcmUxFzAVBgNVBAsMDkxkYX AgVGVzdCBVbml0MR8wHQYJKoZIhvcNAQkBFhB2ZW51QHlvcG1haWwuY29tMIIBIjANBgkqhkiG9w0 BAQEFAAOCAQ8AMIIBCgKCAQEAnq1nR2O4qS40N8PGP7toiu05rEi7K7B5XCPVcaCPKBj6YxWhqevU GxB81/mu+pqJ+JQY1mjpQAHH8Z2hM8E9pxT2V+UrBw80u4Q7WcPPs/DLseYizIC2oHbhinrZ7JOYg Qf4J0pdJINVTfqL1JLjoKgcSkh5l5D7wp8tMVhZUIIc7Avo1N6ar8WtLKdvfKCsbYdgUMy1Kgy06e GNjF03GK74mCg5u7V2Iq7OxyUcXB1vlKND40D9SdUGzgV7GdiiGbxCeYuLQl2WBZppdluk0N7UH6V 2OsQ8FerYZFuRK/qR0Kdg9c1T0Na1aQmL47KLoiEJieAkJALgC+CbL2ztDwIDAQABo4GZMIGWMAwG A1UdEwEB/wQCMAAwHQYDVR0OBBYEFFhZNpvCR4aoNpDduDAXvumFwnpfMB8GA1UdIwQYMBaAFEp8U +LE8Vwvoa2CqYstslOzR9HwMA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDBD AeBgNVHREBAf8EFDASgRB2ZW51QHlvcG1haWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCGMofENyf 3H5tn+/S1nOgomnZapizneYITIqbs6BRjuKi0VwISVbsH07DLKfOW9sx5kLm58hR8ZdKrpA5bpE28 a/QlcyRXxBtOaH+xoZBktb70S1ri2Oh7aT5R/AZdDBGFXb8gcgfS3AHJg9RezrNzkcrLXT/lfpLjQ FCeGtgWlxlpFcUMLfTJh0Fow0lTGerE6GwNGtNEqS1GL9t57paOsDlLFGmF7rWo8Pv5yDu/e6YV23 gZNB4REIFh0g8SV7YQ12EBO7EO1m+24DTqH4UfFgJBAiu031vfJMRagmbUTcDM20R30IzgpJS1ERD aJhkuqOiMSoqR0CqCx5h4ewgg # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
CA certificate sample response
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: cn=Venu Local DC1 ICA # requesting: ALL # # Venu Local DC1 ICA, Venu Local DC1 ICA OU, Venu Local Account Org dn: cn=Venu Local DC1 ICA,ou=Venu Local DC1 ICA OU,o=Venu Local Account Org ou: venu local dc1 ica ou cn: Venu Local DC1 ICA o: Venu Local Account Org objectClass: pkiCA objectClass: pkiCAData cACertificate;binary:: MIIEWDCCA0CgAwIBAgIUcAgr/CVbXNKcrL1JdwmmMgcDXigwDQYJKoZ IhvcNAQELBQAwgbIxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJl bmdhbHVydTEPMA0GA1UEERMGNTYwMTAzMQswCQYDVQQJEwI4QjEfMB0GA1UEChMWVmVudSBMb2Nhb CBBY2NvdW50IE9yZzEbMBkGA1UECxMSVmVudSBMb2NhbCBSb290IE9VMR8wHQYDVQQDExZWZW51IE xvY2FsIERDMSBSb290IENBMCAXDTIyMDkyMTA4MzEzNVoYDzIwNTIwOTIxMDgyOTQ5WjCBsTELMAk GA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmVuZ2FsdXJ1MQ8wDQYDVQQR EwY1NjAxMDMxCzAJBgNVBAkTAjhCMR8wHQYDVQQKExZWZW51IExvY2FsIEFjY291bnQgT3JnMR4wH AYDVQQLExVWZW51IExvY2FsIERDMSBJQ0EgT1UxGzAZBgNVBAMTElZlbnUgTG9jYWwgREMxIElDQT CCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANQVzAseiyNtEUGt1sz3Pu/ozO+WPU5gJ3a whUWtrCgg5v1Ysxk6+yl4HIsacx5lQN9DILuj2nxb1CQkFvkR2l3+XV+GaqNEjTiKPj5A79kr6zp6 xl3El+k9DE3FhRN6pCaL0OI1OMDu0PgtUrr76rT4xdyi3jRo0D1fgTmShYXWaoe5ULBi+U/WkW94b EqJcmQMkj3f89kUPXmk5UhMxwe3gLJuJqnq/OdcEtQ7+sN4JfEMOm1PjJ5NhAb1XcaIr7K9anBsnj WP7SOX3O30DC1WT/B5lO7E+/ETweA+rj9WVYxEkj1BbX+Uaj9HU0HQxgiACXfcvaL4FA3CSRJZeOk CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUF2B7o32mXmTgrZ/JPx72q/OsBeYw HwYDVR0jBBgwFoAUPOUYv4xSUJA36DjMikjhTta4HuAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3D QEBCwUAA4IBAQBgms6SFz+pO+XWqydtDfJapIJ6QiRuTRK+bOEHqmsd/0koJCxBqjnvuM71Spa81C 5bZevcGY1Fr3VCPuPsxnVPcUmjCpXMP2vVirUgCYWrsEJV8GL/ZdkXZW1IT6/am/rJET+wLPO0Lq/ 48Iahue9JN8t7HkbMDOtMhYDmZxSs+mZDvQTCz4xtvxMiLn16lLadZBifTE9fmklyDPsd9HukOldD yjV/i7rWlTmtDjzNj3cj6ocTP6MU3AhQeaAGxMv1IPVF/Jpiq3mPcD8KMtgyIjYNs4f6DJN1FLTgt /pr9rcSZ/KkEwxMDCZ7dYhGlrvsixj//SMovvad3WbY7kSK certificateRevocationList;binary:: MIICLTCCARUCAQEwDQYJKoZIhvcNAQELBQAwgbExCzA JBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJlbmdhbHVydTEPMA0GA1UE ERMGNTYwMTAzMQswCQYDVQQJEwI4QjEfMB0GA1UEChMWVmVudSBMb2NhbCBBY2NvdW50IE9yZzEeM BwGA1UECxMVVmVudSBMb2NhbCBEQzEgSUNBIE9VMRswGQYDVQQDExJWZW51IExvY2FsIERDMSBJQ0 EXDTIyMDkyMTA4MzE0NloXDTIyMDkyODA4MzE0NlqgLzAtMB8GA1UdIwQYMBaAFBdge6N9pl5k4K2 fyT8e9qvzrAXmMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBJYXam/qdCRs0APtnlWg5j 6TA6QrlwVA/7LwKU+wizt7MGJtk1HH0jNpKUedUBz//OnaPtUCwRTP6wPxFih/cd1yOUFtzLIDHin uhjou3u8yUIbFkhykNN/xar4XV5Yevf3moO+KGy+w6cTM1KMFgjqaABzGUh6paMpWv8WVP1uGXMWJ sCxBVQgj3SVKycUgvwWqqKZQKk0gjGlSXiaFWbhnjlMXGD/pzf2UTOZ3Tp/rscB/CGYXLfam8N5+Q BkTChhIO/yavX3C6gBn9p6J9dsSFflsGv5aURxuWyaYzDA0yAUk2qQdLZu8zwtAxWyClfTsmAuftb kfT/DFiGUOXV # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1