Skip to content

X500Principal Distinguished Name order

I’m using the Bouncycastle lib to generate certificates from PKCS10 requests using the X509v3CertificateBuilder class.

It returns build a X509CertificateHolder object which contains the generated certificate. If I call getIssuer on the holder, it returns the issuer distinguished name in the correct order (the same returned if I call getSubjectX500Principal() on the issuer certificate), if I parse the encoded version from the holder using the java CertificateFactory, the getIssuerX500Principal() method of the generated certificate returns the DN in the opposite order, what’s wrong?

Here is an example code of what I’m trying to do:

X509CertificateHolder holder =;
holder.getIssuer(); //Returns the DN in the correct order (same as in issuer cert)

CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(holder.getEncoded()));

cert.getIssuerX500Principal().getName(); //Returns issuer DN in reverse order



Since I need to compare distinguished names, I resolved by parsing the DN with LdapName class and comparing the parsed rdns:

boolean DNmatches(X500Principal p1, X500Principal p2) {
    List<Rdn> rdn1 = new LdapName(p1.getName()).getRdns();
    List<Rdn> rdn2 = new LdapName(p2.getName()).getRdns();

    if(rdn1.size() != rdn2.size())
        return false;

    return rdn1.containsAll(rdn2);
2 People found this is helpful