Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".

Author Uwe GradeneggerPosted on Categories Troubleshooting, Certificate usage, Certification AuthorityTags , ,

Assume the following scenario:

  • A Certification Authority certificate is requested from a Certification Authority
  • The certificate request fails with the following error message:
The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)
Denied by Policy Module

In addition, the Certification Authority logs accordingly the Event with no. 53:

Active Directory Certificate Services denied request 57 because The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE). The request was for CN=Invalid Path Length CA. Additional information: Denied by Policy Module

Possible causes

Basically, this error occurs when the certification authority certificate has a certificate policy (Issuance Policy) or restriction (Application Policy) or a path length constraint that conflicts with the requested certificate. Examples may include:

  • The certification authority certificate has a path length constraint and a subordinate certification authority certificate is requested
  • The certificate policy (issuance policy) on a root certification authority was changed when the certification authority certificate was renewed

Details: The certification authority certificate has a path length constraint and a subordinate certification authority certificate is requested

This error occurs if the certification authority certificate has a path length constraint with the value "0" and is therefore not allowed to issue certification authority certificates. This behavior is a desired security feature and therefore cannot be disabled.

See also article "Basics: Path Length Constraint„.

Details: The certificate policy (issuance policy) on a root certification authority was changed when the certification authority certificate was renewed

The error can occur with a root certification authority when renewing its certificate authority certificates and changing the issuance policy via capolicy.inf.

A root certification authority will try to create a cross certification between the new and the previous certification authority certificate when renewing the certification authority certificate (if a new key pair has been generated). However, if the issuance policies of the two certificates differ, this will fail.

The certificate authority will retry and fail the process every time the service is started, so new failed requests will be generated over and over again.

By the way, an interesting feature here is that the certificate request cannot be viewed.

This is also indicated in the event display accordingly with the Event no. 102 pictured.

In this case, the following options are available for solution:

Related links:

5 thoughts on “Die Beantragung eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „The certification authority’s certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)“”

  1. Pingback: Configuring the Path Length Constraint for Certificates Issued by a Certification Authority - Uwe Gradenegger
  2. Pingback: Disabling the generation of cross-certification authority certificates - Uwe Gradenegger
  3. Pingback: Details about the event with ID 53 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  4. Pingback: Details about the event with ID 102 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  5. Pingback: Basics: Path Length Constraint - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish