Distinguished Names

The Distinguished Name (DN) uniquely identifies an entity in an X.509 certificate.

The following attribute types are commonly found in the DN:

SERIALNUMBER: Certificate serial number
MAIL: Email address
E: Email address (Deprecated in preference to MAIL)
UID or USERID: User identifier
CN: Common Name
T: Title
OU: Organizational Unit name
DC: Domain component
O: Organization name
STREET: Street / First line of address
L: Locality name
ST (or SP or S): State or Province name
PC: Postal code / zip code
C: Country
UNSTRUCTUREDNAME: Host name
UNSTRUCTUREDADDRESS: IP address
DNQ: Distinguished name qualifier

The X.509 standard defines other attributes that do not typically form part of the DN but can provide optional extensions to the digital certificate.

The X.509 standard provides for a DN to be specified in a string format. For example:


CN=John Smith, OU=Test, O=IBM, C=GB

The Common Name (CN) can describe an individual user or any other entity, for example a server.

The DN can contain multiple OU and DC attributes. Only one instance of each of the other attributes is permitted. The order of the OU entries is significant: the order specifies a hierarchy of Organizational Unit names, with the highest-level unit first. The order of the DC entries is also significant.