Name Properties
Name properties are properties of certificates and certificate requests that represent data about the subject, that is, the owner of the certificate or the individual for whom a certificate is requested. Each name property is identified by a property name. These names are not localizable; however, name properties typically correspond to a Certificate Services database column, and you can use the Certification Authority MMC snap-in, the command line tool 'certutil -schema', or the IEnumCERTVIEWCOLUMN::GetDisplayName method to display localized versions of the database column names.
The property name (but not the aliases) may have "Subject." as an optional prefix. For example, to refer to the subject's common name, you can use either "CommonName" or "Subject.CommonName".
In addition to its name, each property has some number of aliases that Certificate Services recognizes as alternate names for the property. Note that object identifiers (OIDs) are acceptable aliases, as are the szOID_* constants. These constants are definitions (in Wincrypt.h) that represent the OIDs. For example, szOID_COMMON_NAME is defined as "2.5.4.3". Consequently, you can use the szOID_* constants as aliases in place of the OIDs they represent.
Property name | Aliases | Data type | Description |
---|---|---|---|
"Subject.CommonName" | "CommonName" "CN" "2.5.4.3" szOID_COMMON_NAME |
String (max. 64 chars) | For user certificates, the person's full name. For computer certificates, the fully qualified HostName**/Path used in Domain Name System (DNS) lookups (for example, HostName.Example.com**). |
"Subject.Country" | "Country" "C" "2.5.4.6" szOID_COUNTRY_NAME |
String (max 2 chars) | The subject's country or region. This is an X.500 two-character country/region code (for example US for United States or CA for Canada). Many of these two-character codes are defined in the ISO 3166 standard. Additionally, the current locale's code is available through a call to the Windows function GetLocaleInfo (by specifying an LCType of LOCALE_SISO3166CTRYNAME). |
"Subject.DeviceSerialNumber" | "DeviceSerialNumber" "2.5.4.5" szOID_DEVICE_SERIAL_NUMBER |
String (max 1024 chars) | Device serial number. |
"Subject.DomainComponent" | "DomainComponent" "DC" "0.9.2342.19200300.100.1.25" szOID_DOMAIN_COMPONENT |
String (max 128 chars) | Component of a Domain Name System (DNS) name. |
"Subject.EMail" | "EMail" "E" "1.2.840.113549.1.9.1" szOID_RSA_emailAddr |
String (max 128 chars) | Email address (for example, "[email protected]"). |
"Subject.GivenName" | "GivenName" "G" "2.5.4.42" szOID_GIVEN_NAME |
String (max 16 chars) | First name of the subject. |
"Subject.Initials" | "Initials" "I" "2.5.4.43" szOID_INITIALS |
String (max 5 chars) | Initials of the subject (optional). |
"Subject.Locality" | "Locality" "L" "2.5.4.7" szOID_LOCALITY_NAME |
String (max 128 chars) | Name of the subject's city. |
"Subject.Organization" | "Organization" "Org" "O" "2.5.4.10" szOID_ORGANIZATION_NAME |
String (max 64 chars) | Legal name of the subject's organization. |
"Subject.OrgUnit" | "OrgUnit" "OrganizationUnit" "OrganizationalUnit" "OU" "2.5.4.11" szOID_ORGANIZATIONAL_UNIT_NAME |
String (max 64 chars) | Name of the subject's sub-organization or department. |
"Subject.State" | "State" "ST" "S" "2.5.4.8" szOID_STATE_OR_PROVINCE_NAME |
String (max 128 chars) | Full name of the subject's state or province (for example, California). |
"Subject.StreetAddress" | "StreetAddress" "Street" "2.5.4.9" szOID_STREET_ADDRESS |
String (max 30 chars) | Subject's street address or PO Box. |
"Subject.SurName" | "SurName" "SN" "2.5.4.4" szOID_SUR_NAME |
String (max 40 chars) | Last name of the subject. |
"Subject.Title" | "Title" "T" "2.5.4.12" szOID_TITLE |
String (max 64 chars) | Title of individual who requested the certificate (optional). |
"Subject.UnstructuredAddress" | "UnstructuredAddress" "1.2.840.113549.1.9.8" szOID_RSA_unstructAddr |
String (max 1024 chars) | Unstructured address. |
"Subject.UnstructuredName" | "UnstructuredName" "1.2.840.113549.1.9.2" szOID_RSA_unstructName |
String (max 1024 chars) | Unstructured name. |
The following properties are related to the subject, although they are not name properties. The policy module cannot set these properties directly.
Property | Data type | Description |
---|---|---|
"Request.DistinguishedName" | String (max 8192 chars) | The relative distinguished name for the request, a textual representation of the subject in the request. This representation consists of name properties, for example, "CN=MyName, OU=MyOrgUnit, C=US". The Certificate Services application sets this property before calling the policy module, by calling CertNameToStr using the RawRequest's Subject. |
"Request.RawName" | Binary (max 4096 bytes) | Abstract Syntax Notation One (ASN.1) binary subject BLOB extracted from the request. The Certificate Services application sets this property before calling the policy module; its value is determined by the RawRequest's Subject. |
"DistinguishedName" | String (max 8192 chars) | The relative distinguished name for the certificate, a textual representation of the subject in the certificate. This representation consists of name properties, for example, "CN=MyName, OU=MyOrgUnit, C=US". The Certificate Services application sets this property after calling the policy module, by calling CertNameToStr using the RawName. |
"RawName" | Binary (max 4096 bytes) | ASN.1 binary subject BLOB used to construct the certificate. The Certificate Services application sets this property after calling the policy module; its value is determined by the values of specific name properties (Subject.CommonName and so on) as directed by the SubjectTemplate. |
Which relative distinguished name components appear in the DistinguishedName property and the order in which they appear are controlled by the "SubjectTemplate" registry value contained in the following registry key:
HKEY_LOCAL_MACHINE
System
CurrentControlSet
Services
CertSvc
Configuration
CaName
When Certificate Services parses attribute names, it ignores spaces, hyphens (minus signs), and case. For example, "AttributeName1", "Attribute Name1", and "Attribute-name1" are all equivalent. For attribute values, Certificate Services ignores leading and trailing white space.
All of the preceding properties except DistinguishedName, RawName, and Subject.Country, support multiple-valued syntax by using a newline character. The newline separator cannot be disabled or changed.
Related topics