Slightly OT: X.509 Name encoding


Why does LE encode the X.509 “Name” type as a list of one-member RelativeDistinguishedName (RDN) objects, rather than as a single RDN that contains all of the attributes?

For example, a parse of the Issuer in a certificate that I have is:

   48:d=2  hl=2 l=  74 cons:   SEQUENCE          
   50:d=3  hl=2 l=  11 cons:    SET               
   52:d=4  hl=2 l=   9 cons:     SEQUENCE          
   54:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
   59:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :US
   63:d=3  hl=2 l=  22 cons:    SET               
   65:d=4  hl=2 l=  20 cons:     SEQUENCE          
   67:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
   72:d=5  hl=2 l=  13 prim:      PRINTABLESTRING   :Let's Encrypt
   87:d=3  hl=2 l=  35 cons:    SET               
   89:d=4  hl=2 l=  33 cons:     SEQUENCE          
   91:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
   96:d=5  hl=2 l=  26 prim:      PRINTABLESTRING   :Let's Encrypt Authority X3

Why are there three separate SETs, rather than one single SET that contains the countryName, organizationName, and commonName?

Is it to simplify matching, so that the “distinguishedNameMatch” algorithm isn’t needed?


I don’t know, but do you have a counterexample where a different CA does it differently? In a Comodo certificate I see

   46:d=2  hl=3 l= 133 cons:   SEQUENCE          
   49:d=3  hl=2 l=  11 cons:    SET               
   51:d=4  hl=2 l=   9 cons:     SEQUENCE          
   53:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
   58:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :GB
   62:d=3  hl=2 l=  27 cons:    SET               
   64:d=4  hl=2 l=  25 cons:     SEQUENCE          
   66:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
   71:d=5  hl=2 l=  18 prim:      PRINTABLESTRING   :Greater Manchester
   91:d=3  hl=2 l=  16 cons:    SET               
   93:d=4  hl=2 l=  14 cons:     SEQUENCE          
   95:d=5  hl=2 l=   3 prim:      OBJECT            :localityName
  100:d=5  hl=2 l=   7 prim:      PRINTABLESTRING   :Salford
  109:d=3  hl=2 l=  26 cons:    SET               
  111:d=4  hl=2 l=  24 cons:     SEQUENCE          
  113:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
  118:d=5  hl=2 l=  17 prim:      PRINTABLESTRING   :COMODO CA Limited
  137:d=3  hl=2 l=  43 cons:    SET               
  139:d=4  hl=2 l=  41 cons:     SEQUENCE          
  141:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
  146:d=5  hl=2 l=  34 prim:      PRINTABLESTRING   :COMODO RSA Certification Authority


@schoen No, I don’t know of any CAs that issue certificates using multi-value RDNs (RelativeDistinguishedNames).

Incidentally, apparently if you write “+” instead of “/” as a separator in a DN string notation, that indicates a multi-valued RDN:

/O=My Organization/OU=My Dept+GN=John+SN=Doe

My inquiry was just for curiosity, why this is an apparently standard practice when there doesn’t seem to be any particular reason why the values would be in separate RDNs—other than the comparison logic that I proposed earlier.


Hi @FGasper, that’s an interesting question but most of the people who spend time on this forum are more specialized in ACME and web server configuration stuff than this kind of thing, so I predict it may be more fruitful to try your question again on an X.509/PKI related forum.

Good luck!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.