A certificate's subject distinguished name (DN) provides information about the manner in which the certificate is to be used. Like an LDAP DN, a certificate's subject DN consists of a comma-delimited series of attribute-value pairs. Unlike an LDAP DN, however, the attribute names in a certificate subject DN are typically written all in uppercase characters. (Attribute names in an LDAP DN are typically written in lowercase or CamelCase characters.)

A certificate's subject DN is also referred to as its subject. The following attributes commonly appear in a certificate subject:

  • CN – Common name. For a listener certificate, the CN attribute typically identifies the host name that clients use to access the certificate, although the subject alternative name extension provides a more highly recommended mechanism for accomplishing the same task. Most certificate subject DNs include at least the CN attribute.
  • E – Email address.
  • OU – Name of the organizational unit, such as the relevant department.
  • O – Name of the organization or company.
  • L – Name of the locality, such as the appropriate city.
  • ST – Full name of the state or province.
  • C – ISO 3166 country code.

A certificate subject includes at least one attribute-value pair, and the CN attribute is typically present. Other attributes can be omitted, although the O and C attributes are also common. For example, a listener certificate for a server with an address of ldap.example.com, which is run by the US-based company Example Corp, might have a subject of CN=ldap.example.com,O=Example Corp,C=US.