Using CertReq.exe, how to encode special characters in Subject

Question

We are using Microsoft Certificate Request (CertReq.exe) to build certificate requests programmatically. For this purpose, we have to create input INF files, see docs here.

The Subject property is defined as Relative Distinguished Name string values, which should be encoded like specified by RFC 1779.

That essentially means to simply escape some characters (", +, ,, ;, <, >, or \) by prefixing it with \.

The problem is, that I could not figure out, how to properly encode a Subject that has the property "O=Foo + Bar".

Input (relevant INF part):

[NewRequest]
Subject = "CN=www.foo.de,OU=Foobar,O=Foo \+ Bar,L=Foo,S=Bar,C=DE"

Output:

The string contains an invalid X500 name attribute key, oid, value or delimiter. 0x80092023 (-2146885597 CRYPT_E_INVALID_X500_STRING)
c:\file_path.inf([NewRequest] Subject = "CN=www.foo.de,OU=Foobar,O=Foo \+ Bar,L=Foo,S=Bar,C=DE")

Duplicate escaping (using "and \) is discouraged by RFC 1799, but seems to solve problems in LDAP queries (see here, f.i.). However, we also tried do not use the quotation to specify a subject, but got another unwanted result.

Input:

[NewRequest]
Subject = CN=www.foo.de,OU=Foobar,O=Foo \+ Bar,L=Foo,S=Bar,C=DE

Output:

The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
c:\file_path.inf([NewRequest] Subject = "CN=www.foo.de", "OU=Foobar", "O=Foo \+ Bar", "L=Foo", "S=Bar", "C=DE")

The whole process works without the + sign. What is the correct way to encode a RDN (relative distinguished name) in the INF file?

Answer 1

Normally the + character has special meaning. You can disable that behavior like this and just use the + character like you would any other.

Subject = CN=www.foo.de,OU=Foobar,O=Foo + Bar,L=Foo,S=Bar,C=DE
X500NameFlags = 0x20000000

The plus character is normally reserved to separate multiple values for multi-valued RDNs.

I'm not entirely sure why escaping it does not work with CertEnroll as you are expecting it to.