Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 518

Appendix B. Introduction to Public-Key Cryptography
Users do not usually need to be concerned about the exact contents of a certificate. However, system
administrators working with certificates may need some familiarity with the information contained in
them.
B.4.5.1. Distinguished Names
An X.509 v3 certificate binds a distinguished name (DN) to a public key. A DN is a series of name-
value pairs, such as uid=doe, that uniquely identify an entity. This is also called the certificate subject
name.
This is an example DN of an employee for Example Corp.:
uid=doe, cn=John Doe,o=Example Corp.,c=US
In this DN, uid is the username, cn is the user's common name, o is the organization or company
name, and c is the country.
DNs may include a variety of other name-value pairs. They are used to identify both certificate
subjects and entries in directories that support the Lightweight Directory Access Protocol (LDAP).
The rules governing the construction of DNs can be complex; for comprehensive information about
DNs, see A String Representation of Distinguished Names at http://www.ietf.org/rfc/rfc1485.txt.
B.4.5.2. A Typical Certificate
Every X.509 certificate consists of two sections:
• The data section includes the following information:
• The version number of the X.509 standard supported by the certificate.
• The certificate's serial number. Every certificate issued by a CA has a serial number that is unique
among the certificates issued by that CA.
• Information about the user's public key, including the algorithm used and a representation of the
key itself.
• The DN of the CA that issued the certificate.
• The period during which the certificate is valid; for example, between 1:00 p.m. on November 15,
2004, and 1:00 p.m. November 15, 2009.
• The DN of the certificate subject, which is also called the subject name; for example, in an SSL
client certificate, this is the user's DN.
• Optional certificate extensions, which may provide additional data used by the client or server. For
example, the Netscape Certificate Type extension indicates the type of certificate, such as an SSL
client certificate, an SSL server certificate, or a certificate for signing email. Certificate extensions
can also be used for other purposes.
• The signature section includes the following information:
• The cryptographic algorithm, or cipher, used by the issuing CA to create its own digital signature.
For more information about ciphers, see
496
Section 1.4.10, "SSL/TLS and Supported Cipher Suites".