SSCEP: Subject of our request does not match that of the returned Certificate!

Assume the following scenario:

• A certificate request is made on a Linux system (for example, a thin client) by means of a SSCEP against a Network Device Enrollment Service (NDES) performed.
• The certificate request fails with the following error message:

sscep: Subject of our request does not match that of the returned Certificate!

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

SSCEP compares the subject of the submitted certificate request with the issued certificate.

sscep: decrypting inner PKCS#7
sscep: PKCS#7 payload size: 2005 bytes
write_local_cert(): found 1 cert(s)
sscep: found certificate with
subject: '/OU=IT/O=ADCS Labor/CN=testsceprequest'
issuer: /C=DE/ST=Bavaria/L=Munich/O=ADCS Labor/OU=IT/CN=ADCS Labor Issuing CA 1
request_subject: '/O=ADCS Labor/OU=IT/CN=testsceprequest'
Subject of the returned certificate: /OU=IT/O=ADCS Labor/CN=testsceprequest
Subject of the request: /O=ADCS Labor/OU=IT/CN=testsceprequest
X509_NAME_cmp() workaround: strcmp request subject (/O=ADCS Labor/OU=IT/CN=testsceprequest) to cert subject (/OU=IT/O=ADCS Labor/CN=testsceprequest)
sscep: Subject of our request does not match that of the returned Certificate!
sscep: certificate written as local.crt

If this message appears, the certificate was successfully issued by the certification authority, but the requested subject was not recognized by the certification authority based on the defined rules changedso that the comparison by SSCEP fails.

Possible solutions may include:

• Adjust the order of the Relative Distinguished Names (RDNs) in the certificate request subject so that it matches the defined rules (preferred solution).
• Adjust the order on the certificate authority to match the subject in the certificate request.
• Configure the Certification Authority to adopt the requested subject 1:1 (not recommended).

Related links:

• Allowed Relative Distinguished Names (RDNs) in the Subject of Issued Certificates
• Change the order of the Relative Distinguished Names (RDNs) in the subject of issued certificates.
• Use of undefined Relative Distinguished Names (RDN) in issued certificates
• Install SSCEP for Linux (Debian Buster) and apply for certificates via the Network Device Enrollment Service (NDES).