Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".

Assume the following scenario:

  • A Certification Authority certificate is requested from a Certification Authority
  • The certificate request fails with the following error message:
The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)
Denied by Policy Module

In addition, the Certification Authority logs accordingly the Event with no. 53:

Active Directory Certificate Services denied request 57 because The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE). The request was for CN=Invalid Path Length CA. Additional information: Denied by Policy Module

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Basically, this error occurs when the certification authority certificate has a certificate policy (Issuance Policy) or restriction (Application Policy) or a path length constraint that conflicts with the requested certificate. Examples may include:

  • The certification authority certificate has a path length constraint and a subordinate certification authority certificate is requested
  • The certificate policy (issuance policy) on a root certification authority was changed when the certification authority certificate was renewed

Details: The certification authority certificate has a path length constraint and a subordinate certification authority certificate is requested

This error occurs if the certification authority certificate has a path length constraint with the value "0" and is therefore not allowed to issue certification authority certificates. This behavior is a desired security feature and therefore cannot be disabled.

See also article "Basics: Path Length Constraint„.

Details: The certificate policy (issuance policy) on a root certification authority was changed when the certification authority certificate was renewed

The error can occur with a root certification authority when renewing its certificate authority certificates and changing the issuance policy via capolicy.inf.

A root certification authority will try to create a cross certification between the new and the previous certification authority certificate when renewing the certification authority certificate (if a new key pair has been generated). However, if the issuance policies of the two certificates differ, this will fail.

The certificate authority will retry and fail the process every time the service is started, so new failed requests will be generated over and over again.

By the way, an interesting feature here is that the certificate request cannot be viewed.

This is also indicated in the event display accordingly with the Event no. 102 pictured.

In this case, the following options are available for solution:

Related links:

5 thoughts on “Die Beantragung eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „The certification authority’s certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)“”

Comments are closed.

en_USEnglish