Microsoft ADCS: change Subject in existing CSR

StanTastic

2/26/23, 2:01 PM

Suppose I have a CSR in which some Subject fields were not created according to X.509 - there are forbidden characters in Subject, or Country was provided as "England".

Is there any way to recover from that?

I tried:

using policy.inf to resign the certificate, but I can't find any way to change existing Subject
editing request directly on CA, but since there's some forbidden stuff in the CSR, the request immediately fails, and using certutil -setattributes results in "CERTSRV_E_BAD_REQUESTSUBJECT" (kind of expected, but a bit weird since you can try to reissue a request that's in "Failed" list).

I don't think that "fixing" bad CSR is possible here, but perhaps I'm wrong?

0 + 0

pki

active-directory-adcs

Score:1

Server

garethTheRed

2/26/23, 6:06 PM

Assuming you're using a standard format for your requests - and you have to with ADCS - there are only two places you can change the Subject (or any other attribute or extension) of a certificate request:

at the source by generating a new request; or,
request the CA alter the request before it signs it.

You cannot change a certificate request in between generating it and the CA accepting it as it is digitally signed. Any changes would invalidate the signature.

If the CA won't accept the request, your only option is to go back to the source.

0 + 0

StanTastic

2/28/23, 2:14 PM

Thanks, that's what I figured out - I just needed that confirmation. However I need to point out that you *can* actually change extended attributes to request prior to sending to MS CA using certreq -policy command - it creates a kind of bundle of original CSR with requested changes.

garethTheRed

2/28/23, 5:08 PM

You're not changing the CSR there - if you did, it would invalidate the signature. What you're effectively doing is sending a request to the CA to consider adding those changes.

StanTastic

2/28/23, 6:12 PM

I never said I want to change the CSR, I only wanted a way to use the public key from CSR to issue a certificate with different data than is provided in CSR. This is generally possible, but apparently not for CSRs that have malformed C field, or non-allowed characters in Subject field, because MS CA will straight up refuse to load those CSRs, and it doesn't allow to edit Failed requests (even though you can ask CA to issue those ceets, which will of course fail).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Microsoft ADCS: change Subject in existing CSR

TH: Microsoft ADCS: เปลี่ยนหัวเรื่องใน CSR ที่มีอยู่

RO: Microsoft ADCS: schimbați subiectul în CSR existent

RU: Microsoft ADCS: изменить тему в существующем CSR

VI: Microsoft ADCS: thay đổi Chủ đề trong CSR hiện có

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.