Summary

Provides a way to leave a distinguished name component empty when entering a name to the keytool command.

Problem

When generating a new self-signed certificate with keytool -genkeypair and the -dname option is not specified on the command line, keytool would prompt the user to enter the distinguished name. The questions look like this:

What is your first and last name?
  [Unknown]: 
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:

Each question has a default answer and if the user types ENTER it will be used. This means there is no way to leave any component empty. This is especially a problem since the "organizational unit" component is now deprecated for TLS certificates.

Solution

If the user wants to leave a component empty, just enter a single dot (.) when prompted. This is an existing solution used by the OpenSSL req command:

If the user enters nothing then the default value is used if no default value is present then the field is omitted. A field can still be omitted if a default value is present if the user just enters the '.' character.

In keytool, we will print out a guide sentence before asking the questions:

Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.

Since the subject name and the issuer name of a self-signed certificate are the same, and RFC 5280 requires the issuer name to be non-empty, the user cannot bypass all components. Otherwise, the following sentence is printed out and user must answer the questions again:

At least one field must be provided. Enter again.

Specification

No change to documentation. The keytool man page has not described the name input process.