X.500 distinguished name

This value specifies as an X.500 distinguished name (DN) the identity of the NSS server. It must be a string of no more than 1024 characters. If you click X.500 Distinguished Name, then you must specify this value.

An X.500 Distinguished Name (DN) is composed of a series of Relative Distinguished Names (RDN), each of which contains an attribute type and value pair. The following is an example of an X.500 DN with four RDNs:

CN=Ronald Hoffman,OU=Endicott,O=IBM,C=US

As shown in this example, each RDN must be delimited by a comma. When this distinguished name is displayed in RACF, either from the RACF panels or the TSO RACDCERT LIST command, each RDN will be shown as delimited by periods. Regardless of the RACF display, each RDN segment should be delimited by commas when entered on this panel.

This table lists the DN attribute names that are recognized by the System Secure Sockets Layer (SSL) run time. An error is returned if the DN contains an unrecognized attribute name.

C Country
CN Common name
DC Domain component
E E-mail address
EMAIL E-mail address (preferred)
EMAILADDRESS E-mail address
L Locality
O Organization name
OU Organizational unit name
PC Postal code
S State or province
SN Family name
SP State or province
ST State or province (preferred)
STREET Street
T Title

The following is an example of a DN using attribute names and string values:

CN=Ronald Hoffman,OU=Endicott,O=IBM,C=US

The following is the same DN using object identifiers and encoded string values.

2.5.4.3=#130E526F6E616C6420486F66666D616E,2.5.4.11=#1308456E6469636F7474, 2.5.4.10=#130349424D,2.5.4.6=#13025553

The encoded string values represent the ASN.1 DER encoding of the string. The System Secure Sockets Layer (SSL) run time supports these ASN.1 string types:

PRINTABLE, VISIBLE, TELETEX, IA5, UTF8, BMP, and UCS.

You can use escape sequences to represent individual characters. This is useful when the character cannot be represented in a single-byte character set. The hexadecimal value for the escape sequence is the UTF-8 encoding of the character in the Unicode character set. This table shows the Unicode letter descriptions.

Unicode letter description	10646 code	UTF-8	Quoted
LATIN CAPITAL LETTER L	U0000004C	0x4C	L
LATIN SMALL LETTER U	U00000075	0x750	u
LATIN SMALL LETTER C WITH CARON	U0000010D	0xC48D	\C4\8D
LATIN SMALL LETTER I	U0000010D	0x69	i
LATIN SMALL LETTER C WITH ACUTE	U00000107	0xC487	\C4\87

Thus SN=Lu\C4\8Di\C4\87 represents a family name spelled by the five letters in the table.

You can also use an escape sequence for special characters that are part of the name and are not to be interpreted as delimiters. For example:

CN=L. Eagle,OU=Jones\, Dale and Mian,O=IBM,C=US

Rule: When an X500dn type identity is specified, ensure the DN attributes have the same order as those of the corresponding certificate subject name.

Parent topic: Server Settings