Example of rule execution
The execution of rules are defined on the Server object Network Device Enrollment Rules tab. The hierarchical, policy-based rules allow administrators to manage the destination for Certificate objects in the Policy tree.
The Rules tab only lists enabled Simple Certificate Enrollment Protocol (SCEP) rules. The rules apply to the Policy tree and those defined on the Server object. In this example:
- Five rules are enabled, and partial matches on the Common Name (CN) in the Certificate Signing Request (CSR) are configured on three folders in the Policy tree.
- The rules are listed in order of precedence.
- Rules of the same type are executed in alphanumeric order by Container. In the example, the Subject Match rules sort first, \VED\Policy\NonCorp\Engineering, then \VED\Policy\NonCorp\Marketing, and lastly \VED\Policy\NonCorp\Sales.
- Any rules, highlighted in red, will not be executed with the current configuration. The reason the rule would not be executed will be noted in the Rule column. In this example, the Global Password rule would not ever execute because the same challenge password is assigned at the \VED\Policy folder object.
The rules are displayed in the order they are executed. When a rule is found that matches the conditions of the CSR, execution ends and the matching rule is applied. Rules are applied in the following order:
- Match X.509 Subject to existing certificate object. When enabled, you have the option to limit certificate objects by CA ident, which restricts the search for the existing certificate object to the corresponding policy folder only, based on the CA ident included in the SCEP enrollment request.
- Accept folder in challenge password
- Allow X.509 Subject folder rules.
- Match challenge password to container
- Support additional CAs configured on policies
NOTE If a CA Ident string is configured on a Policy object and the value is sent as part of the SCEP request from the device, only the first two rules in this list are processed. No X.509 subject folder rules or challenge password match rules will be processed. Additionally, if a folder challenge password is provided on the folder along with the CA Ident value, only that challenge password will be used in determining if a valid SCEP request has been sent by the device.