88

According to the X.509, a certificate has an attribute subject. 

C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft,
CN=www.freesoft.org/emailAddress=baccala@freesoft.org

This is the typical subject value. The question is what are the types(or tags) of those attributes(C, ST, L, O, OU, CN) and what is their format?

Mathias Brossard
  • 3,668
  • 2
  • 26
  • 30
Sergey
  • 11,548
  • 24
  • 76
  • 113
  • 1
    Those attributes are specified in [X.520 : Information technology - Open Systems Interconnection - The Directory: Selected attribute types](http://www.itu.int/rec/T-REC-X.520). When present in the *Subject* or *Issuer*, they are called *Relative Distinguished Names* (RDN), and they form the *Distinguished Name* (DN). The DN is just a mashup of RDNs. – jww May 12 '14 at 16:32
  • 2
    Where are the short names (like CN, O, OU...) defined (if at all)? Windows also uses them (and opensssl), so there must be at least some informal standard. – David Balažic Aug 10 '16 at 14:44
  • @DavidBalažic Look in RFC4519 §2 "Attribute Types". It references X.520 which should be the true authoritative source for this data, except that this specification is not openly/freely available, while the IETF RFC are available for free in both senses of the term. – Patrick Mevzek May 13 '20 at 22:57
  • @PatrickMevzek I think you may have made a typo? RFC4519 is related to LDAP. – Nate T Jan 12 '22 at 04:50
  • @NateT For the reasons explained in my comment. `X.520` is authoritative, but not freely available. RFC 4519 is for LDAP indeed that reuse a lot of "X" stuff, and hence you can find definitions there. Or look at one the answers given, citing RFC 5280. Or the other answer citing RFC 4519 again. – Patrick Mevzek Jan 12 '22 at 06:35

3 Answers3

119

IETF PKIX (latest version RFC 5280) is a well accepted profile for certificates. From section 4.1.2.4, the following fields must be supported (I've added between parenthesis is the OpenSSL long and optional short name):

  • country (countryName, C),
  • organization (organizationName, O),
  • organizational unit (organizationalUnitName, OU),
  • distinguished name qualifier (dnQualifier),
  • state or province name (stateOrProvinceName, ST),
  • common name (commonName, CN) and
  • serial number (serialNumber).

There's also a list of element that should be supported:

  • locality (locality, L),
  • title (title),
  • surname (surName, SN),
  • given name (givenName, GN),
  • initials (initials),
  • pseudonym (pseudonym) and
  • generation qualifier (generationQualifier).

Values should be encoded in UTF8String or PrintableString (some of them only in PrintableString, and some exceptions in IA5String). The standard also has a maximum length for all field types (Appendix A.1)

For reasons of compatibility, implementations must also support domain components (domainComponent, DC) encoded in IA5String. Attention is drawn to email (emailAddress) and its encoding (IA5String, but it's considered deprecated in DNs (it should be in Subject Alternative Name extension).

Max13
  • 919
  • 2
  • 9
  • 27
Mathias Brossard
  • 3,668
  • 2
  • 26
  • 30
4

For those wanting the exact format of these attributes, which is not given in RFC5280:

The capitalized tags are detailed in RFC4519 which is the LDAP schema. This document also links to other RFCs describing the precise syntax and semantics for each specific attribute and datatype.

For example, the country code "C" follows RFC4517 and ISO3166 which gives the actual two-letter codes. And the domain component "DC" is a dns name in accordance with RFC1034.

ChalkTalk
  • 604
  • 6
  • 10
1

In addition to the excellent answer referring to RFC 5280, also consult RFC 8399 Internationalization Updates to RFC 5280. RFC 8399 specifies how to handle internationalised domain names and email addresses, in accordance with the updated IDNA 2008. RFC 5280 is aligned with the outdated IDNA 2003, and is not clear about how to handle email addresses where the local part is not limited to ASCII.

Community
  • 1
  • 1
Jim DeLaHunt
  • 10,960
  • 3
  • 45
  • 74