Microsoft ADCS: change Subject in existing CSR
Suppose I have a CSR in which some Subject fields were not created according to X.509 - there are forbidden characters in Subject, or Country was provided as "England".
Is there any way to recover from that?
I tried:
- using policy.inf to resign the certificate, but I can't find any way to change existing Subject
- editing request directly on CA, but since there's some forbidden stuff in the CSR, the request immediately fails, and using certutil -setattributes results in "CERTSRV_E_BAD_REQUESTSUBJECT" (kind of expected, but a bit weird since you can try to reissue a request that's in "Failed" list).
I don't think that "fixing" bad CSR is possible here, but perhaps I'm wrong?
Assuming you're using a standard format for your requests - and you have to with ADCS - there are only two places you can change the Subject (or any other attribute or extension) of a certificate request:
- at the source by generating a new request; or,
- request the CA alter the request before it signs it.
You cannot change a certificate request in between generating it and the CA accepting it as it is digitally signed. Any changes would invalidate the signature.
If the CA won't accept the request, your only option is to go back to the source.