Search fields and recommendations
We recommend these criteria for LDAP requests:
User certificate queries: Empty (“”) base DN, with search filters to find certificates.
CA certificate queries: Base DN contains the subject DN or CN of the CA certificate, with no search filters.
Basic attributes
tabel 1. Certificate attributes
Attribute | Can use in request? | Returned in response? |
|---|---|---|
cn, commonName | yes | yes |
dn | yes | yes |
mail, rfc822mailbox | yes | yes |
o, organizationName | yes | yes |
ou, organizationalUnitName | yes | yes |
tabel 2. Directory class attributes
Attribute | Can use in request? | Returned in response? |
|---|---|---|
objectclass | yes | yes |
tabel 3. Base64 attributes
Attribute | Can use in request? | Returned in response? |
|---|---|---|
usercertificate;binary | yes | yes |
cacertificate;binary | no | yes |
certificaterevocationlist;binary | no | yes |
Default user search response
These are the default fields returned by the LDAP user certificate search:
dn
mail
cn
o
ou
objectclass
userCertificate;binary
Default CA search response
These are the default fields returned by the LDAP CA certificate search:
dn
mail
cn
o
ou
objectclass
cacertificate;binary
certificaterevocationlist;binary (if available)
User certificate sample response
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=TestUser1
# requesting: ALL
#
# dn: mail=testuser@yopmail.com,cn=TestUser1,ou=Ldap Test Unit,o=Digicert
mail: testuser@yopmail.com
cn: TestUser1
o: Digicert
ou: Ldap Test Unit
objectClass: pkiUser
objectClass: pkiUserData
userCertificate;binary:: MIIERjCCAy6gAwIBAgIUB1cm4/W4kcDhVxDha++yTGtLKHcwDQYJK
oZIhvcNAQELBQAwga4xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCU
JlbmdhbHVydTEPMA0GA1UEERMGNTYwMTAzMQswCQYDVQQJEwI4QjERMA8GA1UEChMIRGlnaWNlcnQ
xFzAVBgNVBAsTDkxEQVAgVGVzdCBVbml0MRUwEwYDVQQLEwxEaWdpY2VydCBCTFIxFjAUBgNVBAMT
DUxEQVAgVGVzdCBpY2EwHhcNMjIwODI5MDYwODM4WhcNMzAxMTE1MDYwODM4WjBvMRYwFAYDVQQDD
A10ZXN0dXNlckQ8YXRhMRswGQYDVQQKDBJEaWdpY2VydCBCYW5nYWxvcmUxFzAVBgNVBAsMDkxkYX
AgVGVzdCBVbml0MR8wHQYJKoZIhvcNAQkBFhB2ZW51QHlvcG1haWwuY29tMIIBIjANBgkqhkiG9w0
BAQEFAAOCAQ8AMIIBCgKCAQEAnq1nR2O4qS40N8PGP7toiu05rEi7K7B5XCPVcaCPKBj6YxWhqevU
GxB81/mu+pqJ+JQY1mjpQAHH8Z2hM8E9pxT2V+UrBw80u4Q7WcPPs/DLseYizIC2oHbhinrZ7JOYg
Qf4J0pdJINVTfqL1JLjoKgcSkh5l5D7wp8tMVhZUIIc7Avo1N6ar8WtLKdvfKCsbYdgUMy1Kgy06e
GNjF03GK74mCg5u7V2Iq7OxyUcXB1vlKND40D9SdUGzgV7GdiiGbxCeYuLQl2WBZppdluk0N7UH6V
2OsQ8FerYZFuRK/qR0Kdg9c1T0Na1aQmL47KLoiEJieAkJALgC+CbL2ztDwIDAQABo4GZMIGWMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFFhZNpvCR4aoNpDduDAXvumFwnpfMB8GA1UdIwQYMBaAFEp8U
+LE8Vwvoa2CqYstslOzR9HwMA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDBD
AeBgNVHREBAf8EFDASgRB2ZW51QHlvcG1haWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCGMofENyf
3H5tn+/S1nOgomnZapizneYITIqbs6BRjuKi0VwISVbsH07DLKfOW9sx5kLm58hR8ZdKrpA5bpE28
a/QlcyRXxBtOaH+xoZBktb70S1ri2Oh7aT5R/AZdDBGFXb8gcgfS3AHJg9RezrNzkcrLXT/lfpLjQ
FCeGtgWlxlpFcUMLfTJh0Fow0lTGerE6GwNGtNEqS1GL9t57paOsDlLFGmF7rWo8Pv5yDu/e6YV23
gZNB4REIFh0g8SV7YQ12EBO7EO1m+24DTqH4UfFgJBAiu031vfJMRagmbUTcDM20R30IzgpJS1ERD
aJhkuqOiMSoqR0CqCx5h4ewgg
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1CA certificate sample response
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=Venu Local DC1 ICA
# requesting: ALL
#
# Venu Local DC1 ICA, Venu Local DC1 ICA OU, Venu Local Account Org
dn: cn=Venu Local DC1 ICA,ou=Venu Local DC1 ICA OU,o=Venu Local Account Org
ou: venu local dc1 ica ou
cn: Venu Local DC1 ICA
o: Venu Local Account Org
objectClass: pkiCA
objectClass: pkiCAData
cACertificate;binary:: MIIEWDCCA0CgAwIBAgIUcAgr/CVbXNKcrL1JdwmmMgcDXigwDQYJKoZ
IhvcNAQELBQAwgbIxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJl
bmdhbHVydTEPMA0GA1UEERMGNTYwMTAzMQswCQYDVQQJEwI4QjEfMB0GA1UEChMWVmVudSBMb2Nhb
CBBY2NvdW50IE9yZzEbMBkGA1UECxMSVmVudSBMb2NhbCBSb290IE9VMR8wHQYDVQQDExZWZW51IE
xvY2FsIERDMSBSb290IENBMCAXDTIyMDkyMTA4MzEzNVoYDzIwNTIwOTIxMDgyOTQ5WjCBsTELMAk
GA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmVuZ2FsdXJ1MQ8wDQYDVQQR
EwY1NjAxMDMxCzAJBgNVBAkTAjhCMR8wHQYDVQQKExZWZW51IExvY2FsIEFjY291bnQgT3JnMR4wH
AYDVQQLExVWZW51IExvY2FsIERDMSBJQ0EgT1UxGzAZBgNVBAMTElZlbnUgTG9jYWwgREMxIElDQT
CCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANQVzAseiyNtEUGt1sz3Pu/ozO+WPU5gJ3a
whUWtrCgg5v1Ysxk6+yl4HIsacx5lQN9DILuj2nxb1CQkFvkR2l3+XV+GaqNEjTiKPj5A79kr6zp6
xl3El+k9DE3FhRN6pCaL0OI1OMDu0PgtUrr76rT4xdyi3jRo0D1fgTmShYXWaoe5ULBi+U/WkW94b
EqJcmQMkj3f89kUPXmk5UhMxwe3gLJuJqnq/OdcEtQ7+sN4JfEMOm1PjJ5NhAb1XcaIr7K9anBsnj
WP7SOX3O30DC1WT/B5lO7E+/ETweA+rj9WVYxEkj1BbX+Uaj9HU0HQxgiACXfcvaL4FA3CSRJZeOk
CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUF2B7o32mXmTgrZ/JPx72q/OsBeYw
HwYDVR0jBBgwFoAUPOUYv4xSUJA36DjMikjhTta4HuAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3D
QEBCwUAA4IBAQBgms6SFz+pO+XWqydtDfJapIJ6QiRuTRK+bOEHqmsd/0koJCxBqjnvuM71Spa81C
5bZevcGY1Fr3VCPuPsxnVPcUmjCpXMP2vVirUgCYWrsEJV8GL/ZdkXZW1IT6/am/rJET+wLPO0Lq/
48Iahue9JN8t7HkbMDOtMhYDmZxSs+mZDvQTCz4xtvxMiLn16lLadZBifTE9fmklyDPsd9HukOldD
yjV/i7rWlTmtDjzNj3cj6ocTP6MU3AhQeaAGxMv1IPVF/Jpiq3mPcD8KMtgyIjYNs4f6DJN1FLTgt
/pr9rcSZ/KkEwxMDCZ7dYhGlrvsixj//SMovvad3WbY7kSK
certificateRevocationList;binary:: MIICLTCCARUCAQEwDQYJKoZIhvcNAQELBQAwgbExCzA
JBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJlbmdhbHVydTEPMA0GA1UE
ERMGNTYwMTAzMQswCQYDVQQJEwI4QjEfMB0GA1UEChMWVmVudSBMb2NhbCBBY2NvdW50IE9yZzEeM
BwGA1UECxMVVmVudSBMb2NhbCBEQzEgSUNBIE9VMRswGQYDVQQDExJWZW51IExvY2FsIERDMSBJQ0
EXDTIyMDkyMTA4MzE0NloXDTIyMDkyODA4MzE0NlqgLzAtMB8GA1UdIwQYMBaAFBdge6N9pl5k4K2
fyT8e9qvzrAXmMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBJYXam/qdCRs0APtnlWg5j
6TA6QrlwVA/7LwKU+wizt7MGJtk1HH0jNpKUedUBz//OnaPtUCwRTP6wPxFih/cd1yOUFtzLIDHin
uhjou3u8yUIbFkhykNN/xar4XV5Yevf3moO+KGy+w6cTM1KMFgjqaABzGUh6paMpWv8WVP1uGXMWJ
sCxBVQgj3SVKycUgvwWqqKZQKk0gjGlSXiaFWbhnjlMXGD/pzf2UTOZ3Tp/rscB/CGYXLfam8N5+Q
BkTChhIO/yavX3C6gBn9p6J9dsSFflsGv5aURxuWyaYzDA0yAUk2qQdLZu8zwtAxWyClfTsmAuftb
kfT/DFiGUOXV
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1