diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
index dcf0e50f..a900d0b6 100644
--- a/rcgen/src/certificate.rs
+++ b/rcgen/src/certificate.rs
@@ -611,7 +611,7 @@ impl CertificateParams {
 		let der = subject_key.sign_der(|writer| {
 			// Write version
 			writer.next().write_u8(0);
-			write_distinguished_name(writer.next(), distinguished_name.clone());
+			write_distinguished_name(writer.next(), distinguished_name);
 			serialize_public_key_der(subject_key, writer.next());
 
 			// According to the spec in RFC 2986, even if attributes are empty we need the empty attribute tag
@@ -673,7 +673,7 @@ impl CertificateParams {
 			// Write signature algorithm
 			issuer.key_pair.alg.write_alg_ident(writer.next());
 			// Write issuer name
-			write_distinguished_name(writer.next(), issuer.distinguished_name.clone());
+			write_distinguished_name(writer.next(), issuer.distinguished_name);
 			// Write validity
 			writer.next().write_sequence(|writer| {
 				// Not before
@@ -683,7 +683,7 @@ impl CertificateParams {
 				Ok::<(), Error>(())
 			})?;
 			// Write subject
-			write_distinguished_name(writer.next(), self.distinguished_name.clone());
+			write_distinguished_name(writer.next(), &self.distinguished_name);
 			// Write subjectPublicKeyInfo
 			serialize_public_key_der(pub_key, writer.next());
 			// write extensions
@@ -872,7 +872,7 @@ fn write_general_subtrees(writer: DERWriter, tag: u64, general_subtrees: &[Gener
 								GeneralSubtree::Rfc822Name(name)
 								| GeneralSubtree::DnsName(name) => writer.write_ia5_string(name),
 								GeneralSubtree::DirectoryName(name) => {
-									write_distinguished_name(writer, name.clone())
+									write_distinguished_name(writer, name)
 								},
 								GeneralSubtree::IpAddress(subnet) => {
 									writer.write_bytes(&subnet.to_bytes())
diff --git a/rcgen/src/crl.rs b/rcgen/src/crl.rs
index 111f0c47..e9dac2f8 100644
--- a/rcgen/src/crl.rs
+++ b/rcgen/src/crl.rs
@@ -234,7 +234,7 @@ impl CertificateRevocationListParams {
 			// Write issuer.
 			// RFC 5280 §5.1.2.3:
 			//   The issuer field MUST contain a non-empty X.500 distinguished name (DN).
-			write_distinguished_name(writer.next(), issuer.distinguished_name.clone());
+			write_distinguished_name(writer.next(), issuer.distinguished_name);
 
 			// Write thisUpdate date.
 			// RFC 5280 §5.1.2.4:
diff --git a/rcgen/src/lib.rs b/rcgen/src/lib.rs
index a36d536a..fb8d5164 100644
--- a/rcgen/src/lib.rs
+++ b/rcgen/src/lib.rs
@@ -338,10 +338,10 @@ impl DistinguishedName {
 		self.entries.push((ty, s.into()));
 	}
 
-	/// Replaces the *fist occurrence* of a type with a new value.
+	/// Replaces the *first occurrence* of a type with a new value.
 	/// This is a convenience function to avoid duplicating values.
 	///
-	/// If there are multiple occurrences of a type there is currently no way of changing the besides iterating over the types and values of an existing instance and creating a new instance.
+	/// If there are multiple occurrences of a type there is currently no way of changing them besides iterating over the types and values of an existing instance and creating a new instance.
 	///
 	/// ```
 	/// # use rcgen::{DistinguishedName, DnType, DnValue};
@@ -586,7 +586,7 @@ fn write_dt_utc_or_generalized(writer: DERWriter, dt: OffsetDateTime) {
 	}
 }
 
-fn write_distinguished_name(writer: DERWriter, dn: DistinguishedName) {
+fn write_distinguished_name(writer: DERWriter, dn: &DistinguishedName) {
 	writer.write_sequence(|writer| {
 		for (ty, content) in dn.iter() {
 			writer.next().write_set(|writer| {
diff --git a/rcgen/tests/openssl.rs b/rcgen/tests/openssl.rs
index bbec1e56..d68b29e2 100644
--- a/rcgen/tests/openssl.rs
+++ b/rcgen/tests/openssl.rs
@@ -1,5 +1,11 @@
 #![cfg(feature = "pem")]
 
+use std::cell::RefCell;
+use std::io::{Error, ErrorKind, Read, Result as ioResult, Write};
+use std::rc::Rc;
+#[cfg(feature = "x509-parser")]
+use std::str::FromStr;
+
 use openssl::asn1::{Asn1Integer, Asn1Time};
 use openssl::bn::BigNum;
 use openssl::pkey::PKey;
@@ -7,13 +13,13 @@ use openssl::ssl::{HandshakeError, SslAcceptor, SslConnector, SslMethod};
 use openssl::stack::Stack;
 use openssl::x509::store::{X509Store, X509StoreBuilder};
 use openssl::x509::{CrlStatus, X509Crl, X509Req, X509StoreContext, X509};
+
+#[cfg(feature = "x509-parser")]
+use rcgen::Ia5String;
 use rcgen::{
 	BasicConstraints, Certificate, CertificateParams, DnType, DnValue, GeneralSubtree, IsCa,
 	KeyPair, NameConstraints,
 };
-use std::cell::RefCell;
-use std::io::{Error, ErrorKind, Read, Result as ioResult, Write};
-use std::rc::Rc;
 
 mod util;
 
@@ -542,9 +548,6 @@ fn test_openssl_pkcs1_and_sec1_keys() {
 #[test]
 #[cfg(feature = "x509-parser")]
 fn test_parse_certificate_with_multiple_domain_components() {
-	use rcgen::Ia5String;
-	use std::str::FromStr;
-
 	/// Command used to generate:
 	/// `openssl req -x509 -newkey rsa:4096 -nodes -out mycert.pem -keyout mykey.pem -days 365 -subj "/C=US/ST=California/L=San Francisco/O=Example Company/OU=IT Department/CN=www.example.com/DC=example/DC=com"`
 	/// Contains two distinct "DC" entries.