To specify a distinguished name for an X.509 certificate or certificate request, we use a string of attribute type=value pairs separated by semicolons (";"). The general format is
type=value(;type=value)*
Supported types are:
"C=US;O=Example Organisation;CN=Test User 1" "CN=Carol" "CN=My User;O=My Org;OU=Unit;C=AU;L=My Town;S=NSW;E=myuser@my.org"
At least one attribute must be specified. Spaces are significant between the "=" and the ";". Only a semicolon can be used as a separator - commas are treated as normal characters. The distinguished name attributes are written to the certificate name in the order they are found. Keys may be repeated. Note that the Windows Certificate Manager displays the attributes in reverse order to which they are written.
The attribute value can contain any valid character except the semicolon ";" (ASCII character 0x3B, Unicode U+003B) and the equals sign "=" (ASCII character 0x3D, Unicode U+003D). (Actually, you can use these if you really want to: see Entering values that include the semi-colon and equals sign below.)
We keep the deprecated emailAddress attribute here because it seems so popular.
Note that the emailAddress attribute of the distinguished name
is independent of the rfc822Name address in a subjectAltName extension, which can be specified
separately in the extensions parameter.
The default encoding is IA5String for the emailAddress attribute
and PrintableString for all other attributes.
If the input string includes characters that are not valid for these encodings, then
a T61String (TeletexString) will be used instead as a fudge.
Certificates created with a T61String may not be accepted as valid by some profiles.
To force UTF-8 encoding, specify the PKI_X509_UTF8 flag.