I don't think there is a way in the C++ broker how to include the CA in the identity - it is always taken from the certificate it self only.
Are you using regular public CA (e.g. Verisign)? Or some private certification authority? I think that the common name is supposed to carry some information which is verified by the CA which signed it. Therefore it is expected that if you have a signed certificate with CN=xxx from two different authorities, then they are supposed to be issued to the same entity (user / person / company). And therefore it should not matter which CA signed it as long as you trust the CA. On Wed, May 25, 2016 at 2:14 PM, Domen Vrankar <domen.vran...@gmail.com> wrote: > orks fine as long as there is only one CA issuing certificates > but I could generate some client certificates with a different ca > certificate and add that ca certificate to broker NSS database. > From that ca certificate I could issue a certificate with same common name. > Now all of a sudden two certificates from different CA agencies have > access to same queues and I don't w >