Share via

Managing Subject Relative Distinguished Names in the Certificate Subject

Applies To: Windows Server 2003 with SP1

For the subject relative distinguished names in certificates issued by a Windows Server 2003 certification authority, the following list contains the object identifiers that are supported in the platform:

COUNTRY_NAME ""  "Country"

ORGANIZATION_NAME ""    "OrganizationalUnit"

ORGANIZATIONAL_UNIT_NAME ""     "Organization"

COMMON_NAME ""   "CommonName"

LOCALITY_NAME "" "Locality"

STATE_OR_PROVINCE_NAME ""        "State"

TITLE ""        "Title"

GIVEN_NAME ""   "GivenName"

INITIALS ""     "Initials"

SUR_NAME ""      "SurName"

DOMAIN_COMPONENT "0.9.2342.19200300.100.1.25"   "DomainComponent"

RSA_emailAddr "1.2.840.113549.1.9.1"    "EMail"

STREET_ADDRESS ""        "StreetAddress"

RSA_unstructName "1.2.840.113549.1.9.2" "UnstructuredName"

RSA_unstructAddr "1.2.840.113549.1.9.8" "UnstructuredAddress"

DEVICE_SERIAL_NUMBER ""  "DeviceSerialNumber"

By default, the following relative distinguished names elements are allowed in the subject of certificates and in the following order when also specified in a version 2 template:

  •     0: EMail

  •     1: CommonName

  •     2: OrganizationalUnit

  •     3: Organization

  •     4: Locality

  •     5: State

  •     6: DomainComponent

  •     7: Country

The default list can be displayed on a CA by running the following command:

certutil -getreg ca\SubjectTemplate 

A relative distinguished names component can be added to the allowable list by running the following command. In this example, the title is added to the end of the list in the registry of the CA.

certutil -setreg ca\SubjectTemplate +title 

Because the strings are ordered, using the “+title” parameter to add a string to the REG_MULTI_SZ registry value may not produce a certificate with the Subject RDNs in the desired order. You can also use regedit.exe to editing the registry directly may be easiest way to specify the desired order.

You can set the value to the Windows 2003 defaults via the following command:

certutil -setreg ca\SubjectTemplate "EMail\nCommonName\nOrganizationalUnit\nOrganization\nLocality\nState\nDomainComponent\nCountry"

Variations on this command can be used to specify any subset of the 16 supported RDNs in any desired order.

To remove the DC= component from the subject of a certificate issued by a subordinate stand-alone CA, run the following command:

certutil -setreg ca\SubjectTemplate -DomainComponent