[Freeipa-devel] certificate DN's

John Dennis jdennis at redhat.com
Thu Jul 14 16:24:56 UTC 2011 

In the conference call this morning the issue came up as to what are 
valid DN's in certificates (used for subject names and issuer names). 
RFC 2459 says this: (note 'type' as it used below means the attribute 
name, e.g. cn is a type, I realize it's confusing, welcome to the world 
of RFC's :-)

-------------------------------------------------------------

As noted above, distinguished names are composed of attributes. This
specification does not restrict the set of attribute types that may
appear in names. However, conforming implementations MUST be
prepared to receive certificates with issuer names containing the set
of attribute types defined below. This specification also recommends
support for additional attribute types.

Standard sets of attributes have been defined in the X.500 series of
specifications.[X.520] Implementations of this specification MUST be
prepared to receive the following standard attribute types in issuer
names: country, organization, organizational-unit, distinguished name
qualifier, state or province name, and common name (e.g., "Susan
Housley"). In addition, implementations of this specification SHOULD
be prepared to receive the following standard attribute types in
issuer names: locality, title, surname, given name, initials, and
generation qualifier (e.g., "Jr.", "3rd", or "IV"). The syntax and
associated object identifiers (OIDs) for these attribute types are
provided in the ASN.1 modules in Appendices A and B.

In addition, implementations of this specification MUST be prepared
to receive the domainComponent attribute, as defined in [RFC 2247].
The Domain (Nameserver) System (DNS) provides a hierarchical resource
labeling system. This attribute provides is a convenient mechanism
for organizations that wish to use DNs that parallel their DNS names.
This is not a replacement for the dNSName component of the
alternative name field. Implementations are not required to convert
such names into DNS names. The syntax and associated OID for this
attribute type is provided in the ASN.1 modules in Appendices A and
B.

----------------------------------------------------------------

But for what it's worth this what NSS supports (from alg1485.c) and 
since we're mostly based on NSS we should enforce this:

The columns are: name, max_length, format

max_length is number of UTF-8 octests
format DS is Directory String, e.g. UTF-8, other formats should be self 
obvious.

"CN",                     64,    DS
"ST",                     128,   DS
"O",                      64,    DS
"OU",                     64,    DS
"dnQualifier",            32767, PRINTABLE_STRING
"C",                      2,     PRINTABLE_STRING
"serialNumber",           64,    PRINTABLE_STRING
"L",                      128,   DS
"title",                  64,    DS
"SN",                     64,    DS
"givenName",              64,    DS
"initials",               64,    DS
"generationQualifier",    64,    DS
"DC",                     128,   IA5_STRING
"MAIL",                   256,   IA5_STRING
"UID",                    256,   DS
"postalAddress",          128,   DS
"postalCode",             40,    DS
"postOfficeBox",          40,    DS
"houseIdentifier",        64,    DS
"E",                      128,   IA5_STRING
"STREET",                 128,   DS
"pseudonym",              64,    DS
"incorporationLocality",  128,   DS
"incorporationState",     128,   DS
"incorporationCountry",   2,     PRINTABLE_STRING
"businessCategory",       64,    DS




-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list