fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Windows 2008 CA - Unable to Issue Certificate : "The request subject name is invalid or too long"

Issue

When requesting a certificate via the browser, at the point you try to issue the certificate (via certsrv.msc) you receive the error:

Error Constructing or Publishing Certificate

When looking through the Events for Active Directoty Certificate Services you see the error:

Active Directory Certificate Services denied request 8 because The request subject name is invalid or too long. 0x80094001 (-2146877439). 

Solution

To enable the parsing of request attributes for subject information, the following command must be run. This allows for enrollment through web enrollment pages. Once done restart the certification authority service (net stop certsvc && net start certsvc).

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

Additional

A useful command to check the request attributes can be found below:

C:\Users\Administrator>certutil -view -restrict "Disposition>=30,Disposition<=31"

!! Output Omitted !!

Request Attributes: "
 challenge: provePequalsNP
 country: UK
 state: HANTS
 locality: STOKE
 org: IT
 orgunit: IT
 email: test@test
 commonname: bob
 CertificateUsage:       1.3.6.1.5.5.7.3.2
 UserAgentString: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko)   Chrome/22.0.1229.94 Safari/537.4

 

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001