Click here to get back home

certreq with name-format "Lastname, Firstname"
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
certreq with name-format "Lastname, Firstname" MarkusR 11-17-2006
Posted by MarkusR on November 17, 2006, 7:09 am
Please log in for more thread options
 Hi everybody,

I'm trying to script certificate requests with certreq and have a
problem I couldn't find a solution for.

I try to define the subject's name in the policyfile like this:

[NewRequest]
Subject="CN=Lastname\, Firstname, OU=Department, O=Organisation"

The backslash should be the escape character that must be set before
the comma. But when I try to build the request file, the following
error message comes up:

The string contains an invalid X500 name attribute key, oid, value or
delimiter. 0x80092023 (-2146885597)

I have a Windows enterprise CA running on Windows 2003 Enterprise
Server.

Thanks in advance for your help,
Markus


Posted by Carsten Kinder [MSFT] on November 19, 2006, 10:44 am
Please log in for more thread options
 Markus,

according to RFC1617 (http://www.ietf.org/rfc/rfc1617.txt?number=1617)
heading 4.4.1, a comma is not allowed as part of the common name.

--
Carsten Kinder
Microsoft Services

This posting is provided "AS IS" with no warranties, and confers no
rights.


Posted by =?ISO-8859-1?Q?Michael_Str=F6d on November 19, 2006, 7:52 pm
Please log in for more thread options
Carsten,

Carsten Kinder [MSFT] wrote:
>
> according to RFC1617 (http://www.ietf.org/rfc/rfc1617.txt?number=1617)
> heading 4.4.1, a comma is not allowed as part of the common name.

1. The RFC and the section cited above does not say anything about a
comma at all.
2. This informational (and old) RFC was just meant as an profile of
X.500 directories in a special project.
3. The RFC is not relevant here since it talks about directories.
PKIX is relevant, see RFC 3280 (Standards Track).

=> Off course you can use a comma in the CN (alias commonName) if you
encode the subject DN as UTF8String as suggested by PKIX. Even
PrintableString should work.

The main problem with a comma is that it's used as a DN component
separator for the string representation of distinguished names.
Depending on what tools you use and depending on your shell you might
have to escape the comma, e.g. with a backslash \.

Ciao, Michael.

Posted by MarkusR on November 24, 2006, 7:59 am
Please log in for more thread options
Hi Carsten, hi Michael,

if I take the subject information from Active Directory (that uses the
format "Lastname, Firstname"), it works fine as well as for the manual
certificate request generated by the webservice of certutil. My problem
is that I have to do it by a script.

I think it's a bug no one noiced before. Nevertheless, thanks for your
help.

Best regards
Markus


Posted by =?ISO-8859-1?Q?Michael_Str=F6d on November 24, 2006, 8:43 am
Please log in for more thread options
MarkusR wrote:
>
> if I take the subject information from Active Directory (that uses the
> format "Lastname, Firstname"), it works fine as well as for the manual
> certificate request generated by the webservice of certutil. My problem
> is that I have to do it by a script.

IIRC you already tried to escape the comma with a single backslash. But
maybe you have to escape it differently or use a double-backslash to
preserve on backslash at this level.

Ciao, Michael.

Similar ThreadsPosted
Win2003 PKI : certreq.exe 'keyusage=0xb8' in policy.inf BUG September 12, 2007, 9:10 am
Win2003 PKI : certreq.exe using 'special' subject fields October 2, 2007, 10:22 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap