Assume the following scenario
- A certificate request is sent to a certification authority.
- The certificate request fails with the following error message:
Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)
The Certification Authority logs the Event no. 22:
Active Directory Certificate Services could not process request 166086 due to an error: The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT). The request was for CN=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa. Additional information: Error Parsing Request
Possible causes:
- The Applicant (Subject) field in the certificate request is identical to that of the certification authority.
- An RDN (e.g. Common Name) requested in the Applicant (Subject) field is longer than allowed.
- A certificate request does not contain any subject information (empty subject and no subject alternative name).
Details: The Applicant (Subject) field in the certificate request is identical to that of the certification authority.
The Certification Authority compares its own applicant name (Subject) with that of the applicant and rejects certificate requests that request the name of the Certification Authority.
Details: An RDN (e.g. Common Name) requested in the Applicant (Subject) field is longer allowed.
The error can also occur if one of the requested Relative Distinguished Names (RDN) in the Applicant field is too long. You can display the length of the RDNs with the following command line command:
certutil -v -dump {certificate request}
The Microsoft Certification Authority limits the length for requested RDNs on the Certification Authority (in the case of the CN to 64 characters. See also article "Allowed Relative Distinguished Names (RDNs) in the Subject of Issued Certificates"). However, this behavior can be prevented with the following command line command:
certutil -setreg ca\EnforceX500NameLengths 0
Afterwards, the certification authority service must be restarted to apply the changes.
Provided that the Common PKI standard is used, it must be noted that this limits the length of Relative Distinguished Names (RDNs) to 64 characters.
Whether the restriction is currently set can be checked with the following command line command:
certutil -getreg ca\EnforceX500NameLengths
This restriction does not apply to the Subject Alternative Name (SAN). Depending on the certificate type (e.g. for SSL) it may be useful or even necessary (see RFC 2818) to prefer the Subject Alternative Name over the Common Name.
Related links:
- Generating a RFC 2818 compliant certificate request for SSL certificates
- Description of the necessary configuration settings for the "Common PKI" certificate profile
- Allowed Relative Distinguished Names (RDNs) in the Subject of Issued Certificates
External sources
- Request for Certificate Is Denied and a "The Request Subject Name Is Invalid or Too Long" Error Message Occurs (Microsoft)
- RFC 2818 - HTTP Over TLS (Internet Engineering Task Force)
4 thoughts on “Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)“”
Comments are closed.