Generally speaking, the local identity and remote identity for certificate-based VPN connections are the certificate subjects. In the VPN configuration, these are stored in the form of (often complex) ASN.1 Distinguished Names (DN). During VPN negotiation, the local identity is used to select the certificate which is to be transmitted to the remote station, whereas the local value for the remote identity is compared with the received identity of the remote station and the subject of the received certificate.
Until now, the local and the remote identities had to be entered in full into the VPN configuration. Not only is this prone to error, it is sometimes desirable to specify only a part of the certificate subject. This is practical where different certificates with similar subjects are to be accepted automatically, for example where certificates can change, or where multiple parallel certificate hierarchies operate simultaneously.
This is facilitated by flexible identity comparison. The certificate subjects have to contain the components of an ASN.1 Distinguished Name (DN) (Relative Distinguished Names – RDNs) as included in the configured identities. The RDNs can be in any order. Also, the RDN values can include the wildcards "?" and "*". If the RDNs are to include wildcards, these must be entered in the form "\?" or "\*". Examples:
- Subject = '/CN=John Doe/O=*ACME*', DN = '/CN=John?Doe*'
- Subject = '/CN=John Doe/O=*ACME*', DN = '/O=\*ACME\*'
