X.500 Distinguished Names
X.500 Distinguished Names are used to identify entities, such as
those which are named by the subject and issuer (signer)
fields of X.509 certificates. keytool supports the following subparts:
- commonName - common name of a person, e.g., "Susan Jones"
- organizationUnit - small organization (e.g, department or division) name, e.g., "Purchasing"
- organizationName - large organization name, e.g., "ABCSystems, Inc."
- localityName - locality (city) name, e.g., "Palo Alto"
- stateName - state or province name, e.g., "California"
- country - two-letter country code, e.g., "CH"
CN=cName, OU=orgUnit, O=org, L=city, S=state, C=countryCode
where
all the italicized items represent actual values and the keywords
are abbreviations for the following: CN=commonName
OU=organizationUnit
O=organizationName
L=localityName
S=stateName
C=country
A sample distinguished name string is
CN=Mark Smith, ou=Tivoli, o=IBM, L=Austin, S=Texas, C=US
and
a sample command using such a string is keytool -genkeypair -dname "CN=Mark Smith, ou=Tivoli, o=IBM, L=Austin,
S=Texas, C=US" -alias mark
Case does not matter for the keyword abbreviations. For example, "CN", "cn", and "Cn" are all treated the same.
Order matters; each subcomponent must appear in the designated
order. However, it is not necessary to have all the subcomponents.
You may use a subset, for example:
CN=Steve Meier, OU=Tivoli, o=IBM, C=US
If a distinguished name string value contains a comma, the comma
must be escaped by a "\" character when you specify the string on
a command line, as in
cn=peter schuster, ou=Tivoli, o=IBM\, Inc., c=us
It is never necessary to specify a distinguished name string on a command line. If it is needed for a command, but not supplied on the command line, the user is prompted for each of the subcomponents. In this case, a comma does not need to be escaped by a "\".