Only for NTDS we use the CN=<fingerprint> as top RDN. For historic (Open)LDAP servers we use pgpCertID=<keyid> as the top RDN. The latter should be replaced using a new scheme version or flag which does the same as NTDS.