Name Properties

Name properties are properties of certificates and certificate requests that represent data about the subject, that is, the owner of the certificate or the individual for whom a certificate is requested. Each name property is identified by a property name. These names are not localizable; however, name properties typically correspond to a Certificate Services database column, and you can use the Certification Authority MMC snap-in, the command line tool 'certutil -schema', or the IEnumCERTVIEWCOLUMN::GetDisplayName method to display localized versions of the database column names.

The property name (but not the aliases) may have "Subject." as an optional prefix. For example, to refer to the subject's common name, you can use either "CommonName" or "Subject.CommonName".

In addition to its name, each property has some number of aliases that Certificate Services recognizes as alternate names for the property. Note that object identifiers (OIDs) are acceptable aliases, as are the szOID_* constants. These constants are definitions (in Wincrypt.h) that represent the OIDs. For example, szOID_COMMON_NAME is defined as "2.5.4.3". Consequently, you can use the szOID_* constants as aliases in place of the OIDs they represent.

Property name Aliases Data type Description
"Subject.CommonName" "CommonName" "CN"
"2.5.4.3"
szOID_COMMON_NAME
String (max. 64 chars) For user certificates, the person's full name. For computer certificates, the fully qualified HostName**/Path used in Domain Name System (DNS) lookups (for example, HostName.Example.com**).
"Subject.Country" "Country" "C"
"2.5.4.6"
szOID_COUNTRY_NAME
String (max 2 chars) The subject's country or region. This is an X.500 two-character country/region code (for example US for United States or CA for Canada).
Many of these two-character codes are defined in the ISO 3166 standard. Additionally, the current locale's code is available through a call to the Windows function GetLocaleInfo (by specifying an LCType of LOCALE_SISO3166CTRYNAME).
"Subject.DeviceSerialNumber" "DeviceSerialNumber" "2.5.4.5"
szOID_DEVICE_SERIAL_NUMBER
String (max 1024 chars) Device serial number.
"Subject.DomainComponent" "DomainComponent" "DC"
"0.9.2342.19200300.100.1.25"
szOID_DOMAIN_COMPONENT
String (max 128 chars) Component of a Domain Name System (DNS) name.
"Subject.EMail" "EMail" "E"
"1.2.840.113549.1.9.1"
szOID_RSA_emailAddr
String (max 128 chars) Email address (for example, "[email protected]").
"Subject.GivenName" "GivenName" "G"
"2.5.4.42"
szOID_GIVEN_NAME
String (max 16 chars) First name of the subject.
"Subject.Initials" "Initials" "I"
"2.5.4.43"
szOID_INITIALS
String (max 5 chars) Initials of the subject (optional).
"Subject.Locality" "Locality" "L"
"2.5.4.7"
szOID_LOCALITY_NAME
String (max 128 chars) Name of the subject's city.
"Subject.Organization" "Organization" "Org"
"O"
"2.5.4.10"
szOID_ORGANIZATION_NAME
String (max 64 chars) Legal name of the subject's organization.
"Subject.OrgUnit" "OrgUnit" "OrganizationUnit"
"OrganizationalUnit"
"OU"
"2.5.4.11"
szOID_ORGANIZATIONAL_UNIT_NAME
String (max 64 chars) Name of the subject's sub-organization or department.
"Subject.State" "State" "ST"
"S"
"2.5.4.8"
szOID_STATE_OR_PROVINCE_NAME
String (max 128 chars) Full name of the subject's state or province (for example, California).
"Subject.StreetAddress" "StreetAddress" "Street"
"2.5.4.9"
szOID_STREET_ADDRESS
String (max 30 chars) Subject's street address or PO Box.
"Subject.SurName" "SurName" "SN"
"2.5.4.4"
szOID_SUR_NAME
String (max 40 chars) Last name of the subject.
"Subject.Title" "Title" "T"
"2.5.4.12"
szOID_TITLE
String (max 64 chars) Title of individual who requested the certificate (optional).
"Subject.UnstructuredAddress" "UnstructuredAddress" "1.2.840.113549.1.9.8"
szOID_RSA_unstructAddr
String (max 1024 chars) Unstructured address.
"Subject.UnstructuredName" "UnstructuredName" "1.2.840.113549.1.9.2"
szOID_RSA_unstructName
String (max 1024 chars) Unstructured name.

 

The following properties are related to the subject, although they are not name properties. The policy module cannot set these properties directly.

Property Data type Description
"Request.DistinguishedName" String (max 8192 chars) The relative distinguished name for the request, a textual representation of the subject in the request. This representation consists of name properties, for example, "CN=MyName, OU=MyOrgUnit, C=US". The Certificate Services application sets this property before calling the policy module, by calling CertNameToStr using the RawRequest's Subject.
"Request.RawName" Binary (max 4096 bytes) Abstract Syntax Notation One (ASN.1) binary subject BLOB extracted from the request. The Certificate Services application sets this property before calling the policy module; its value is determined by the RawRequest's Subject.
"DistinguishedName" String (max 8192 chars) The relative distinguished name for the certificate, a textual representation of the subject in the certificate. This representation consists of name properties, for example, "CN=MyName, OU=MyOrgUnit, C=US". The Certificate Services application sets this property after calling the policy module, by calling CertNameToStr using the RawName.
"RawName" Binary (max 4096 bytes) ASN.1 binary subject BLOB used to construct the certificate. The Certificate Services application sets this property after calling the policy module; its value is determined by the values of specific name properties (Subject.CommonName and so on) as directed by the SubjectTemplate.

 

Which relative distinguished name components appear in the DistinguishedName property and the order in which they appear are controlled by the "SubjectTemplate" registry value contained in the following registry key:

HKEY_LOCAL_MACHINE
   System
      CurrentControlSet
         Services
            CertSvc
               Configuration
                  CaName

When Certificate Services parses attribute names, it ignores spaces, hyphens (minus signs), and case. For example, "AttributeName1", "Attribute Name1", and "Attribute-name1" are all equivalent. For attribute values, Certificate Services ignores leading and trailing white space.

All of the preceding properties except DistinguishedName, RawName, and Subject.Country, support multiple-valued syntax by using a newline character. The newline separator cannot be disabled or changed.

Certificate Properties

ICertServerExit::GetCertificateProperty

ICertServerExit::GetRequestProperty

ICertServerPolicy::GetCertificateProperty

ICertServerPolicy::GetRequestProperty

ICertServerPolicy::SetCertificateProperty