Microsoft ADCS: change Subject in existing CSR

pki active-directory-adcs

Suppose I have a CSR in which some Subject fields were not created according to X.509 - there are forbidden characters in Subject, or Country was provided as "England".

Is there any way to recover from that?

I tried:

  • using policy.inf to resign the certificate, but I can't find any way to change existing Subject
  • editing request directly on CA, but since there's some forbidden stuff in the CSR, the request immediately fails, and using certutil -setattributes results in "CERTSRV_E_BAD_REQUESTSUBJECT" (kind of expected, but a bit weird since you can try to reissue a request that's in "Failed" list).

I don't think that "fixing" bad CSR is possible here, but perhaps I'm wrong?


Assuming you're using a standard format for your requests - and you have to with ADCS - there are only two places you can change the Subject (or any other attribute or extension) of a certificate request:

  • at the source by generating a new request; or,
  • request the CA alter the request before it signs it.

You cannot change a certificate request in between generating it and the CA accepting it as it is digitally signed. Any changes would invalidate the signature.

If the CA won't accept the request, your only option is to go back to the source.

Related

How do I remove the contact photo from the window of received mail in Outlook 2007?
EBS backed AMI become instance-store AMI when migrate across region
Port forward with iptables
Bridging a vlan and OpenVPN tap on Debian
CoreOS bare-metal vlan networking
Why am I getting different results from two servers that located in the same destination network?
Access to the current time in windows batch script
Scalable Web Application Hardware Topology Best Practice
Small Business Server with Hyper-V role despite it not being supported?
openVPN and multiple external IP addresses
IPv6-only client to IPv6/IPv4 dual stack server tunnel?
How can I can log cpu spikes?