Assume the following scenario:
- A new Certification Authority certificate is requested for a subordinate Certification Authority and issued by the superordinate Certification Authority.
- The Subject Distinguished Name (Subject DN) is identical to that of the previous certification authority certificate.
- However, the installation of the certificate authority certificate fails with the following error message:
An error was detected while configuring Active Directory Certificate Services. The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration. The new certificate subject name does not exactly match the active CA name. Renew with a new key to allow minor subject name changes: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER).
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
When installing a certification authority certificate, the certification authority compares the Subject Distiguished Name (Subject DN) with that of the previous certification authority certificate.
However, this is not performed as a string comparison, but as a comparison of the checksums (name hashes), which in turn are formed from the binary mapping of the subject DN.
Thus, if the character encoding differs, for example, because on the parent certification authority the Behavior for character encoding has changed in the meantime, the installation of the certificate authority certificate fails with the above error message.
The behavior of the Certification Authority corresponds exactly to that of the Establish a certificate chain (name matching). If a different character encoding were allowed, problems could arise when establishing the certificate chain. It is therefore essential that the character encoding remains identical to the previous certification authority certificate.
The solution is therefore to issue the certification authority certificate with the same character encoding for the Subject DN as before.
Another solution (not tested/confirmed) may be to renew the certificate authority certificate using a new key pair.
2 thoughts on “Die Installation eines neuen Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlercode „ERROR_INVALID_PARAMETER“”
Comments are closed.