Naming Document Sections

Four sections of the Naming Document

[1] The four sections of the Naming Document are explained in the following sub sections:

Section I- New Issuing Authority Organization

Section II- Operational Period

Section III - Distinguished Name

Section IV - Certificate Format & Extensions

• Section I – New Issuing Authority Organization

This section lists the name, address and country of operation of the New Issuing Authority and is the organization that the CA will be generated for.



• Section II – Operational Period

This section identifies the validity period showing the integer value representing the number of years, for which the particular CA is going to operational. The value is subsequently used to calculate the CA expiration date subject to the real date and time value of CA generation event, provided as UTC.



• Section III – Distinguished Name

This section specifies the Distinguished Name [DN] of the New Issuing Authority (new CA) and the Superior Issuing Authority (higher level CA, commonly referred to as the signer and the issuer), that is issuing the new CA, if applicable. There are two sections to the DN section of this element of the Naming Document and these are described in the following sub sections:

Name of Superior Issuing Authority

Name of New Issuing Authority




• Name of Superior Issuing Authority

This section lists the Distinguished Name of the Superior Issuing Authority. The Superior Issuing Authority is the CA, that signs the new CA certificate. The Superior Issuing Authority is also referred to as the issuer and the signer. The Superior Issuing Authorities for the types of CAs you may want to generate are as follows:

• For a new Root CA, where there is really no Superior Issuing Authority and the Root CA certificate is self-signed, the Superior Issuing Authority Distinguished Name must exactly match the New Issuing Authority Distinguished Name.
• For a new Subordinate CA, where the Superior Issuing Authority is either a Root CA or another Subordinate CA of a higher level, the Superior Issuing Authority Distinguished Name must match the Distinguished Name of:

a. for Level 1 Subordinate CAs, the Root CA

b. for Level N Subordinate CA, lower than Level 1, a Subordinate CA of a Level higher
than N (levels are to be interpreted in a reversed counting order)

In each of the above instances, the value of the Superior Issuing Authority Distinguished Name must always match the value of the Distinguished Name of the CA that actually signs the new Subordinate CA certificate.


The Distinguished Name of the Superior Issuing Authority is defined using the following attributes:

• CA Email Address (E) – as an option
• Organizational Name (O)
• Organizational Unit Name (OU)
• Common Name (CN)
• Locality (L) – as an option
• State or Province (S) – as an option
• Country Name (C)

Important Note: The country name attribute should be chosen from a list of registered country names, with associated country codes, as defined by the ISO 3166 standard.