PingDirectory

Certificate subject DNs

A certificate’s subject distinguished name (DN) is a name that provides information about the certificate and how it is intended to be used.

Like an LDAP DN, it is comprised of a comma-delimited series of attribute-value pairs, but the attribute names in a certificate subject DN are typically written in all uppercase, whereas they are typically lowercase or camelCase in LDAP DNs.

Attributes that commonly appear in certificate subjects include:

CN

A common name. For a listener certificate, this is often a hostname that clients use to access the certificate, although the subject alternative name extension provides a better mechanism for accomplishing that. Most certificate subject DNs include at least the CN attribute.

E

An email address.

OU

An organizational unit (department) name.

O

An organization (company) name.

L

A locality (city) name.

ST

A state or province name.

This should be the full name of the state or province, not an abbreviation.

C

An ISO 3166 country code (not the full country name).

A certificate subject should include at least one attribute-value pair, and the CN attribute is typically present. Other attributes can be omitted, but the O and C attributes are also fairly common. For example, a listener certificate for a server with an address of ldap.example.com run by the US-based company Example Corp might have a subject of CN=ldap.example.com,O=Example Corp,C=US.