Certificate subject DNs
A certificate’s subject distinguished name (DN) is a name that provides information about the certificate and how it is intended to be used.
Like an LDAP DN, it is comprised of a comma-delimited series of attribute-value pairs, but the attribute names in a certificate subject DN are typically written in all uppercase, whereas they are typically lowercase or camelCase in LDAP DNs.
Attributes that commonly appear in certificate subjects include:
- CN
-
A common name. For a listener certificate, this is often a hostname that clients use to access the certificate, although the subject alternative name extension provides a better mechanism for accomplishing that. Most certificate subject DNs include at least the CN attribute.
- E
-
An email address.
- OU
-
An organizational unit (department) name.
- O
-
An organization (company) name.
- L
-
A locality (city) name.
- ST
-
A state or province name.
This should be the full name of the state or province, not an abbreviation. |
- C
-
An ISO 3166 country code (not the full country name).
A certificate subject should include at least one attribute-value pair, and the CN attribute is typically present. Other attributes can be omitted, but the O and C attributes are also fairly common. For example, a listener certificate for a server with an address of ldap.example.com run by the US-based company Example Corp might have a subject of CN=ldap.example.com,O=Example Corp,C=US
.