Subject DN
The Subject Distinguished Name (DN) in a PIV certificate plays a crucial role in authentication
workflows, ensuring that each credential uniquely identifies the certificate holder. Learn how these
attributes function in PIV-based authentication, access control, and identity
verification.
Role of Subject DN in PIV Authentication
When a user authenticates using their PIV smart card, the system reads the certificate's Subject DN
attributes to verify identity. This is critical for:
- Mutual TLS (mTLS) authentication (e.g., logging into a secure system or network)
- PKI-based single sign-on (SSO) authentication
- Identity federation across agencies
- Access control decisions based on user attributes
Example of a Subject DN in a PIV Certificate:
CN=John A. Doe, OU=Cybersecurity Division, O=Department of Homeland Security, C=US,
SERIALNUMBER=123456789
Subject DN Attributes and Their Uses
| Attribute |
Description |
Usage in PIV Authentication |
|
Common Name (CN)
|
The full name of the cardholder.
|
Used for identification in certificate-based authentication (e.g., Smart Card Login).
|
|
Organizational Unit (OU)
|
The department or division of the user.
|
Helps enforce role-based access control (RBAC).
|
|
Organization (O)
|
The federal agency or organization.
|
Ensures the certificate is issued under a trusted entity.
|
|
Country (C)
|
The two-letter country code (e.g., US).
|
Helps verify jurisdiction of the certificate holder.
|
|
State/Province (ST)
|
The state or province name (optional).
|
Can be used for location-based access controls.
|
|
Locality (L)
|
The city or locality (optional).
|
Not always used but may assist in additional identification.
|
|
Email Address (emailAddress)
|
Official email address of the user.
|
Used for email encryption/signing or system notifications.
|
|
Serial Number (SERIALNUMBER)
|
A unique identifier for the certificate holder (e.g., Employee ID or Federal Agency
Smart
Credential Number).
|
Critical for tracking and validating identity in PIV systems.
|
|
Title
|
The individual's job title (optional).
|
Helps define privileges in policy-based access control.
|
|
DN Qualifier
|
An additional identifier if needed.
|
Used in complex identity management scenarios.
|
Subject DN in Identity Federation and Brokering
Federation Example:
- A PIV ID issued by Agency A can be used to authenticate in Agency
B if both agencies trust the same PKI root.
- The Subject DN attributes help map users across different agencies and define
authorization policies.
Identity Brokering Example:
- When a PIV cardholder logs into an Identity Provider (IdP), the Subject DN
attributes can be used to determine which services they can access.
- For example, an OU=Cybersecurity Division might grant access to
cybersecurity-related applications, while other users are restricted.
Subject DN in Policy-Based Access Control (PBAC)
Some organizations use policy-based access control (PBAC) where access decisions are
based on Subject DN attributes.
For example:
- A user with "OU=Finance" can access financial records but not IT systems.
- A contractor with "O=VendorX" may have limited access compared to a full-time employee.
The Subject DN attributes in a PIV certificate are critical for authentication, access control, and
identity federation in federal and enterprise environments. They help ensure secure and unique
identification of users while enabling interoperability across systems.