0

Suppose I have a CSR in which some Subject fields were not created according to X.509 - there are forbidden characters in Subject, or Country was provided as "England".

Is there any way to recover from that?

I tried:

  • using policy.inf to resign the certificate, but I can't find any way to change existing Subject
  • editing request directly on CA, but since there's some forbidden stuff in the CSR, the request immediately fails, and using certutil -setattributes results in "CERTSRV_E_BAD_REQUESTSUBJECT" (kind of expected, but a bit weird since you can try to reissue a request that's in "Failed" list).

I don't think that "fixing" bad CSR is possible here, but perhaps I'm wrong?

StanTastic
  • 860
  • 1
  • 8
  • 25

1 Answers1

1

Assuming you're using a standard format for your requests - and you have to with ADCS - there are only two places you can change the Subject (or any other attribute or extension) of a certificate request:

  • at the source by generating a new request; or,
  • request the CA alter the request before it signs it.

You cannot change a certificate request in between generating it and the CA accepting it as it is digitally signed. Any changes would invalidate the signature.

If the CA won't accept the request, your only option is to go back to the source.

garethTheRed
  • 4,539
  • 14
  • 22
  • Thanks, that's what I figured out - I just needed that confirmation. However I need to point out that you *can* actually change extended attributes to request prior to sending to MS CA using certreq -policy command - it creates a kind of bundle of original CSR with requested changes. – StanTastic Oct 28 '21 at 14:14
  • You're not changing the CSR there - if you did, it would invalidate the signature. What you're effectively doing is sending a request to the CA to consider adding those changes. – garethTheRed Oct 28 '21 at 17:08
  • 1
    I never said I want to change the CSR, I only wanted a way to use the public key from CSR to issue a certificate with different data than is provided in CSR. This is generally possible, but apparently not for CSRs that have malformed C field, or non-allowed characters in Subject field, because MS CA will straight up refuse to load those CSRs, and it doesn't allow to edit Failed requests (even though you can ask CA to issue those ceets, which will of course fail). – StanTastic Oct 29 '21 at 18:12