// parse x.509 dn fields into readable key-value pairs
Parse X.509 certificate Distinguished Names into readable key-value pairs. Break down Subject and Issuer DN fields instantly in your browser.
CN=example.com,O=Acme,C=US, an openssl x509 -text block, or just the Subject/Issuer line.
Ready to parse
Paste a DN string and click Parse FieldsPaste a raw DN string, an openssl -text block, or just the Subject/Issuer line from a certificate.
The parser will detect Subject, Issuer, and any standalone DN strings automatically.
Each attribute is shown with its short name, full label, OID, and value. Copy individual fields or the full output.
An X.509 Distinguished Name (DN) is a structured string that identifies the subject or issuer of a certificate. This tool parses that string into labelled fields — CN, O, OU, C, L, ST and more — so you can quickly read and audit certificate identity data.
A Distinguished Name is a sequence of attribute-value pairs used in X.509 certificates to uniquely identify the subject (the entity the certificate was issued to) and the issuer (the Certificate Authority that signed it). Common attributes include CN (Common Name), O (Organization), and C (Country).
The parser handles comma-separated DNs (CN=example.com,O=Acme,C=US), slash-separated DNs (/CN=example.com/O=Acme/C=US), full openssl x509 -text output with Subject and Issuer lines, and raw DN strings with OID-style keys.
CN stands for Common Name. In TLS/SSL certificates it typically holds the hostname or wildcard domain the certificate is issued for (e.g. *.example.com). In client or user certificates it usually holds the person's name or email address.
EV certificates contain additional DN attributes that prove business identity, including jurisdictionCountry, jurisdictionState, jurisdictionLocality, and businessCategory. These OIDs are in the 1.3.6.1.4.1.311.60.2.1.* range and are fully supported by this parser.
No. All parsing is done entirely in your browser using JavaScript. Your certificate data never leaves your machine. The tool is completely client-side for maximum privacy.
An Object Identifier (OID) is a globally unique dotted-decimal number used to identify certificate attributes, algorithms, and extensions. For example, 2.5.4.3 is the OID for Common Name (CN). This parser automatically expands OIDs to their human-readable labels.
Run openssl x509 -in cert.pem -text -noout in your terminal and paste the output here. The parser will automatically detect and extract the Subject and Issuer lines. Alternatively, copy the Subject or Issuer line directly from a browser's certificate viewer.
The Subject identifies the entity the certificate was issued to — typically a website, organisation, or person. The Issuer identifies the Certificate Authority (CA) that signed and vouched for the certificate. In a self-signed certificate, Subject and Issuer are identical.
X.509 certificates are the foundation of TLS/SSL security on the web, and at the heart of every certificate is the Distinguished Name (DN) — a structured, hierarchical string that uniquely identifies who the certificate belongs to and who issued it. Understanding how to read and parse DNs is an essential skill for developers, security engineers, and system administrators working with PKI (Public Key Infrastructure).
A Distinguished Name consists of one or more Relative Distinguished Names (RDNs), each containing an attribute type and a value. The most common format looks like this:
CN=*.example.com, O=Example Inc, L=San Francisco, ST=California, C=USEach attribute type has a short code (like CN for Common Name), a full descriptive label, and an underlying numeric Object Identifier (OID) defined in the X.500 standard.
💡 Looking for premium web development assets? MonsterONE offers unlimited downloads of templates, UI kits, and developer tools — worth checking out.
Here are the most frequently encountered attributes in X.509 certificates:
*.example.com), or a person's full name in client certificates.US, GB, DE).DC=example,DC=com).Extended Validation certificates contain additional DN attributes that provide a higher level of identity assurance. These include jurisdiction fields that indicate where the organisation is legally incorporated:
1.3.6.1.4.1.311.60.2.1.3): Country of legal incorporation.1.3.6.1.4.1.311.60.2.1.2): State of legal incorporation.1.3.6.1.4.1.311.60.2.1.1): Locality of legal incorporation.The most common way to inspect a certificate's DN fields is with OpenSSL:
openssl x509 -in certificate.pem -text -nooutThis produces output with Subject and Issuer lines like:
Subject: CN=*.example.com, O=Example Inc, L=San Francisco, ST=California, C=US
Issuer: CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USYou can paste this entire block into our parser and it will automatically detect and extract both the Subject and Issuer Distinguished Names, expanding each attribute into a clean, labelled key-value table.
Every X.509 certificate contains two Distinguished Names. The Subject DN identifies the entity the certificate was issued to — this could be a website domain, a company, or an individual. The Issuer DN identifies the Certificate Authority (CA) that signed and vouched for the certificate.
In a standard TLS certificate chain, the Issuer of a certificate matches the Subject of the CA certificate above it in the chain. In a self-signed certificate (like those used in development), the Subject and Issuer are identical — because the entity signed its own certificate.
Every attribute type in a DN is ultimately identified by an OID — a globally unique dotted-decimal number defined by standards bodies. Short names like CN and O are just aliases. When working with raw certificate data or less common attributes, you may encounter OIDs directly. This parser automatically maps known OIDs to their human-readable labels, including all standard X.500 attributes and EV certificate extensions.
Distinguished Names can be represented in several text formats. The most common is the RFC 4514 format using commas as separators. Some systems use the older OpenSSL slash format where attributes are separated by forward slashes and the string starts with a slash: /CN=example.com/O=Acme/C=US. LDAP systems sometimes use a reverse order where the most significant component (like DC=com) appears last. Our parser handles all these variants automatically.
Parsing Distinguished Names is useful in many real-world scenarios. Security auditors use DN inspection to verify that certificates are issued to the correct organisation and by a trusted CA. Developers building mutual TLS (mTLS) authentication need to extract the CN or other fields from client certificates to identify users. DevOps engineers troubleshooting certificate chain errors often need to compare Subject and Issuer fields to find mismatches. Compliance teams verify that EV certificates contain the correct jurisdiction and business category fields required by their policy.