Wiki: NOTE distinguished name representation in jsrsasign

TOP | DOWNLOADS-|-TUTORIALS-|-API-REFERENCE-|-Online-Tool-|-DEMO-|-[[NODE-TOOL|Sample-Node-Tool-List.html">Wiki

The 'jsrsasign' uses "OpenSSL compat" format (ex. /C=US/O=Test) for X.500 directory name string representation which is used in subject or issuer name of certificate, server name of OCSP or TSA.

(21-Jun-2020) I've misunderstood that DN like "/C=US/O=Test" is oneline format however it is 'compat' format

There are two major representation for it:

standard form(LDAP, RFC 1779, 2253 or 4514)

• ex. CN=example.com,O=TEST,C=US

• RDN(relative distinguished name) is separated by ','

• RDNs are shown in reverse order.

OpenSSL compat form

• ex. /C=US/O=TEST/CN=example.com

• RDN(relative distinguished name) is separated by '/'

• RDNs are shown in non-reverse order.

• Used by OpenSSL and OpenSSL based web servers like Apache, nginx.

LDAP string representation for distinguished name is fully supported since jsrsasign 6.2.2.

GENERATORS

dn = new KJUR.asn1.x509.X500Name({str: "/C=JP/O=Test/CN=john+E=john@example.com"}); // OpenSSL compat format(default)
dn = new KJUR.asn1.x509.X500Name({ldapstr: "CN=john+E=john@example.com,O=Test,C=JP"}); // LDAP(RFC 2253) format

CONVERTERS

To convert from LDAP to OpenSSL compat representation, X500Name.ldapToOneline static method can be used.

KJUR.asn1.x509.X500Name.ldapToOneline("O=test,C=US") => /C=US/O=test

To convert from OpenSSL online to LDAP representation, X500Name.onelineToLdap static method can be used.

KJUR.asn1.x509.X500Name.onelineToLdap("/C=US/O=test") => O=test,C=US

REFERENCES

• Java example source code file (X500Name.java)
• OpenSSL X509 command manual;
• stackoverflow: Why does Nginx Provide the Client SSL DN in reverse order?
• LShift: What's in a Distinguished Name?
• IETF RFC 2253 Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names