October 27, 2018

X.509 Standard set of attributes order

"The order of the relative distinguished names (RDNs) in the subject or issuer DN of a certificate on an ASN.1 level reflects the order in the tree (i.e. top-down):"


    SEQUENCE {
        SET {
            SEQUENCE {
                OBJECT IDENTIFIER=CountryName (2.5.4.6)
                PRINTABLE STRING='US'
            }
        }
        SET {
            SEQUENCE {
                OBJECT IDENTIFIER=OrganizationName (2.5.4.10)
                PRINTABLE STRING='GeoTrust Inc.'
            }
        }
        SET {
            SEQUENCE {
                OBJECT IDENTIFIER=CommonName (2.5.4.3)
                PRINTABLE STRING='GeoTrust Global CA'
            }
        }
    }

C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA

"However, for the string representation of a DN there are two standards: OpenSSL shows the attributes by default as they are actually stored in the certificate, while RFC 2253/4514 reverses the order."

"... the output consists of the string encodings of each RelativeDistinguishedName in the RDNSequence (according to Section 2.2), starting with the last element of the sequence and moving backwards toward the first."

CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US

"Also note that there are certificates "in the wild" which have multiple OUs in their DNs or less common attribute types from RFC 4519 like SERIALNUMBER or UID. I have also seen quite a few certificates, where the RDNs were actually encoded in the wrong order."

Reference:

No comments: