X.500 Distinguished Names

X.500 Distinguished Names are used to identify entities, such as those which are named by the subject and issuer (signer) fields of X.509 certificates. keytool supports the following subparts:
  • commonName - common name of a person, e.g., "Susan Jones"
  • organizationUnit - small organization (e.g, department or division) name, e.g., "Purchasing"
  • organizationName - large organization name, e.g., "ABCSystems, Inc."
  • localityName - locality (city) name, e.g., "Palo Alto"
  • stateName - state or province name, e.g., "California"
  • country - two-letter country code, e.g., "CH"
When supplying a distinguished name string as the value of a -dname option, as for the -genkeypair command, the string must be in the following format:
CN=cName, OU=orgUnit, O=org, L=city, S=state, C=countryCode
where all the italicized items represent actual values and the keywords are abbreviations for the following:
A sample distinguished name string is
CN=Mark Smith, ou=Tivoli, o=IBM, L=Austin, S=Texas, C=US
and a sample command using such a string is
keytool -genkeypair -dname "CN=Mark Smith, ou=Tivoli, o=IBM, L=Austin,
S=Texas, C=US" -alias mark

Case does not matter for the keyword abbreviations. For example, "CN", "cn", and "Cn" are all treated the same.

Order matters; each subcomponent must appear in the designated order. However, it is not necessary to have all the subcomponents. You may use a subset, for example:
CN=Steve Meier, OU=Tivoli, o=IBM, C=US
If a distinguished name string value contains a comma, the comma must be escaped by a "\" character when you specify the string on a command line, as in
cn=peter schuster, ou=Tivoli, o=IBM\, Inc., c=us

It is never necessary to specify a distinguished name string on a command line. If it is needed for a command, but not supplied on the command line, the user is prompted for each of the subcomponents. In this case, a comma does not need to be escaped by a "\".