A certificate’s subject distinguished name (DN) is a name that provides information about the certificate and how it is intended to be used.
Like an LDAP DN, it is comprised of a comma-delimited series of attribute-value pairs, but the attribute names in a certificate subject DN are typically written in all uppercase, whereas they are typically lowercase or camelCase in LDAP DNs.
Attributes that commonly appear in certificate subjects include:
- CN
- A common name. For a listener certificate, this is often a hostname that clients use to access the certificate, although the subject alternative name extension provides a better mechanism for accomplishing that. Most certificate subject DNs include at least the CN attribute.
- E
- An email address.
- OU
- An organizational unit (department) name.
- O
- An organization (company) name.
- L
- A locality (city) name.
- ST
- A state or province name. Note:
This should be the full name of the state or province, not an abbreviation.
- C
- An ISO 3166 country code (not the full country name).
A certificate subject should include at least one attribute-value pair, and the
CN attribute is typically present. Other attributes can be omitted, but the O and C
attributes are also fairly common. For example, a listener certificate for a server with
an address of ldap.example.com run by the US-based company Example Corp might have a
subject of CN=ldap.example.com,O=Example Corp,C=US
.