Example of rule execution

The execution of rules are defined on the Server object Network Device Enrollment Rules tab. The hierarchical, policy-based rules allow administrators to manage the destination for Certificate objects in the Policy tree.

The Rules tab only lists enabled Simple Certificate Enrollment Protocol (SCEP) rules. The rules apply to the Policy tree and those defined on the Server object. In this example:

• Five rules are enabled, and partial matches on the Common Name (CN) in the Certificate Signing Request (CSR) are configured on three folders in the Policy tree.
• The rules are listed in order of precedence.
• Rules of the same type are executed in alphanumeric order by Container. In the example, the Subject Match rules sort first, \VED\Policy\NonCorp\Engineering, then \VED\Policy\NonCorp\Marketing, and lastly \VED\Policy\NonCorp\Sales.
• Any rules, highlighted in red, will not be executed with the current configuration. The reason the rule would not be executed will be noted in the Rule column. In this example, the Global Password rule would not ever execute because the same challenge password is assigned at the \VED\Policy folder object.

The rules are displayed in the order they are executed. When a rule is found that matches the conditions of the CSR, execution ends and the matching rule is applied. Rules are applied in the following order:

1. Match X.509 Subject to existing certificate object
2. Accept folder in challenge password
3. Allow X.509 Subject folder rules
4. Match challenge password to container
5. Support additional CAs configured on policies