Skip to content

NOTE distinguished name representation in jsrsasign

Kenji Urushima edited this page Jun 21, 2020 · 27 revisions

TOP | Wiki | DOWNLOADS | TUTORIALS | API REFERENCE | Online Tool | DEMO | NODE TOOL


The 'jsrsasign' uses "OpenSSL compat" format (ex. /C=US/O=Test) for X.500 directory name string representation which is used in subject or issuer name of certificate, server name of OCSP or TSA.

(21-Jun-2020) I've misunderstood that DN like "/C=US/O=Test" is oneline format however it is 'compat' format

There are two major representation for it:

standard form(LDAP, RFC 1779, 2253 or 4514)

  • ex. CN=example.com,O=TEST,C=US

  • RDN(relative distinguished name) is separated by ','

  • RDNs are shown in reverse order.

  • ex. /C=US/O=TEST/CN=example.com

  • RDN(relative distinguished name) is separated by '/'

  • RDNs are shown in non-reverse order.

  • Used by OpenSSL and OpenSSL based web servers like Apache, nginx.

LDAP string representation for distinguished name is fully supported since jsrsasign 6.2.2.

GENERATORS

dn = new KJUR.asn1.x509.X500Name({str: "/C=JP/O=Test/CN=john+E=john@example.com"}); // OpenSSL compat format(default)
dn = new KJUR.asn1.x509.X500Name({ldapstr: "CN=john+E=john@example.com,O=Test,C=JP"}); // LDAP(RFC 2253) format

CONVERTERS

To convert from LDAP to OpenSSL compat representation, X500Name.ldapToOneline static method can be used.

KJUR.asn1.x509.X500Name.ldapToOneline("O=test,C=US") => /C=US/O=test

To convert from OpenSSL online to LDAP representation, X500Name.onelineToLdap static method can be used.

KJUR.asn1.x509.X500Name.onelineToLdap("/C=US/O=test") => O=test,C=US

REFERENCES

Clone this wiki locally