Windows 2008 CA Unable to Issue Certificate: The request subject name is invalid or too long

Issue

When requesting a certificate via the browser, at the point you try to issue the certificate (via certsrv.msc) you receive the error:

Error Constructing or Publishing Certificate

When looking through the Events for Active Directoty Certificate Services you see the error:

Active Directory Certificate Services denied request 8 because The request subject name is invalid or too long. 0x80094001 (-2146877439).

Solution

To enable the parsing of request attributes for subject information, the following command must be run. This allows for enrollment through web enrollment pages. Once done restart the certification authority service (net stop certsvc && net start certsvc).

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

Additional

A useful command to check the request attributes can be found below:

C:\Users\Administrator>certutil -view -restrict “Disposition>=30,Disposition<=31”

!! Output Omitted !!

Request Attributes: ”
challenge: provePequalsNP
country: UK
state: HANTS
locality: STOKE
org: IT
orgunit: IT
email: test@test
commonname: bob
CertificateUsage:       1.3.6.1.5.5.7.3.2
UserAgentString: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko)   Chrome/22.0.1229.94 Safari/537.4

 

Rick Donato

Want to become a Windows expert?

Here is our hand-picked selection of the best courses you can find online:
Windows Server 2019 Administration course
Windows 10 Troubleshooting course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial