Effective CISSP Questions

A certificate authority (CA) issues a certificate to a web server. The subject is denoted as the distinguished name (DN):,O=Amicliens,S=Taiwan,C=TW. Which of the following is correct?
A. The DN can also be expressed as;O=Amicliens;S=Taiwan;C=TW.
B. The DN is described using Abstract Syntax Notation One (ASN.1) specified in X.500.
C. The DN is described using Uniform Resource Locator (URL) specified in LDAP.
D. The DN is described using Online Certificate Status Protocol in X.509.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. The DN can also be expressed as CN =;O = Amicliens;S = Taiwan;C = TW.

A sample X.509 Certificate for the website,

Because the forward-slash “/” as a separator is rarely used in practice nowadays, I revised option A to use the semicolon “;” as the DN separator even though the following distinguished names are semantically equivalent

  • CN =,
    O = Amicliens,
    S = Taiwan,
    C = TW
  • CN =,O = Amicliens,S = Taiwan,C = TW (RFC 1779-compliant, LDAP v2)
  • CN =;O = Amicliens;S = Taiwan;C = TW (RFC 1779-compliant, LDAP v2)
  • /CN = = Amicliens/S = Taiwan/C = TW (ad hoc but acceptable)

The subject’s distinguished name (DN) in an X.509 certificate may refer to X.501, which defines the structure of a distinguished name in ASN.1. However, X.501 doesn’t specifically define the notation or the string representation of a distinguished name.

DN Separators

Although the concepts of distinguished names and relative distinguished names are core to the X.500 model, the X.500 standard itself does not define any string representation for names. What is communicated between the X.500 components is the structural form of names. The reasoning behind this is that the standard is sufficient to allow different implementations to interoperate. String names are never communicated between different implementations. Instead, they are necessary only for interaction with end-users. For that purpose, the standard allows any representation, not necessarily only string representations.

Systems that are based on the X.500, such as the LDAP, the DCE Directory, Novell’s NDS, and Microsoft’s Active Directory, each define its own string representation. For example, in the LDAP, a DN’s RDNs are arranged right to left, separated by the comma character (“,”). Here’s an example of a name that starts with “c=us” at the top and leads to “cn=Rosanna Lee” at the leaf.

cn=Rosanna Lee, ou=People, o=Sun, c=us

Here’s an example of the same name using the string representation of the DCE Directory and Microsoft’s Active Directory.

/c=us/o=Sun/ou=People/cn=Rosanna Lee

The convention for these systems is that RDNs are ordered left to right and separated by the forward slash character (“/”).

Source: Oracle

X.509 Certificate

X.509 defines a certificate’s format. It only requires the subject field to be a non-empty distinguished name, except that the certificate is an end-entity with the subjectAltName. Still, it doesn’t specify the notation of the subject’s distinguished name. (X.501 defines the structure of a distinguished name instead of the notation.)

The following ASN.1 data type specifies the syntax of public-key certificates in X.509:

X.509 Certificate Syntax
X.509 Certificate Syntax

The subject component shall identify the entity associated with the public-key found in the subjectPublicKey component of the subjectPublicKeyInfo component. If the public-key certificate is an end-entity public-key certificate (see clause 7.4), then the distinguished name may be an empty sequence providing that the subjectAltName extension is present and is flagged as critical (see clause Otherwise, it shall be a non-empty distinguished name.

Requirements for subject and issuer information extensions

a) Public-key certificates need to be usable by applications that employ a variety of name forms, including Internet electronic mail names, Internet domain names, Rec. ITU-T X.400 originator/recipient addresses, and EDI party names. It is therefore necessary to be able securely to associate multiple names of a variety of name forms with a public-key certificate subject or a public-key certificate or CRL issuer.

Source: X.509


In addition to X.509 certificates, distinguished names are also used in directory services. For example, the concepts of distinguished names are introduced in X.500. LDAP is the lightweight version of X.500 which uses distinguished names as well.

In view of the importance of a common format to be able to unambiguously represent a distinguished name to support human to human communication, which must be string based (not ASN.1) and user-oriented, RFC 1779 defines a string representation of distinguished names, commonly adopted in LDAPv2. Implementations parsing a DN string generated by an LDAPv2 client MUST accept the syntax of RFC 1779.

The syntax defined in RFC 2253, Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names, is more restrictive than the syntax in RFC 1779.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

證書頒發機構(CA)向Web服務器頒發證書。 該主題以專有名稱(DN)表示;O=Amicliens;S=Taiwan;C=TW。 以下哪項敍述正確?
A. 該DN也可以表示為;O=Amicliens;S=Taiwan;C=TW。
B. 該DN是使用X.500中指定的抽象語法表示法(ASN.1)描述。
C. 該DN是使用LDAP中指定的URL格式描述。
D. 該DN是使用X.509中的OCSP格式描述。

Leave a Reply