[New in v12.0].
To specify a relative distinguished name (RDN) with an attribute type not supported by the short names listed above,
write the type as a dotted-decimal value (e.g. 2.5.4.18, postOfficeBox)
and the value as a quoted string (e.g. 'Box 45').
Alternatively, see Full DER-encoded Value using "#" below.
"C=CA;2.5.4.18='Box 45';CN=John Doe"
The result of the example above in the final X.509 certificate should be as follows.
SEQUENCE {
SET {
SEQUENCE {
OBJECT IDENTIFIER countryName (2 5 4 6)
PrintableString 'CA'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER postOfficeBox (2 5 4 18)
PrintableString 'Box 45'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER commonName (2 5 4 3)
PrintableString 'John Doe'
}
}
}
For a useful list of RDN attribute types, see [RFC4519] LDAP Schema for User Applications.
Use the representation <dotted-decimal>=#<hexstring>
to specify a value that cannot be expressed as a simple string,
with <hexstring> prefixed by a pound sign ('#' U+0023) with <hexstring> being the hexadecimal encoding of the octets of the DER-encoding of the ASN.1 value.
Note there is just a single pound sign '#' preceding the hex-encoded value. The meaning is different if you use "#x".
"C=CA;2.5.4.18=#1306426F78203435;CN=John Doe"
The expresssion 2.5.4.18=#1306426F78203435 is a convoluted way to demonstrate the use of <dotted-decimal>=#<hexstring>
to represent an RDN attribute-type-and-value.
This creates an RDN of type postOfficeBox with ASN.1 value equal to the seven decoded bytes
(0x)13 06 42 6F 78 20 34 35; that is, the PrintableString (tag 0x13), of length six bytes (length byte 0x06), with data representing the string "Box 45"
as the six bytes 42 6F 78 20 34 35.
A simpler equivalent is 2.5.4.18='Box 45'.
This alternative is meant for advanced users who are comfortable with ASN.1 encodings and want to do something clever like specify the ASN.1 type for the value.
Using the '<quoted-string>' option will almost certainly do what you want in most cases.
| Syntax | Example | Remarks |
|---|---|---|
| <short-name>=<astring> | OU=abc | <astring> must not contain "=" or ";" |
| <short-name>='<quoted-string>' | OU='abc' | Surround <quoted-string> with single quotes "'"
and use backslash "\" to escape the quote and backslash \' and \\.Use a hex escape sequence \<HEX><HEX> of a backslash followed by exactly two hex digits to insert an 8-bit octet.
|
| <short-name>=#x<hex-digits> | OU=#x616263C=#x4de978 | <hex-digits> are decoded in pairs directly to octet values. |
| <dotted-decimal>=<quoted-string> | 2.5.4.11='abc' | <dotted-decimal> must decode to a valid OID; same rules for <quoted-string> as above. |
| <dotted-decimal>=#<hexstring> | 2.5.4.11=#1303616263 | <hexstring> must decode to a full DER-encoding of ASN.1 value (including tag byte and length). |
Various profiles (e.g. PKIX) set limits on the maximum length of the attribute values, e.g. the maximum length of the country code "C" is two characters. We do not enforce these limits. We also do not enforce the strict choices about the string encoding types - if you pass a character that does not fit in the "correct" encoding for the attribute, we'll kludge it into the most appropriate one. In other words, we'll put any old cr*p that you pass into the certificate distinguished name (see AOC policy).