Maximum size of CN / subject name

[whitewaterbug]

Guys,

Has anyone found a way to modify the maximum subject name size on
windows 2003 certificate services?

AD schema limits this to 64 characters. People with longer names
don't quite fit in there.

Is there an ability to change the CN atttribute to > 64 in AD or is
there a way to pull from an AD attribute other than CN to populate the
subject name.

ILM has not been purchased, so it would have to work without any ILM
custom policy features.

[Brian Komar]

No.
Per RFC 5280, the common name attribute must enforce a maximum of 64
characters:

-- specifications of Upper Bounds MUST be regarded as mandatory
-- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
-- Upper Bounds

-- Upper Bounds
ub-common-name INTEGER ::= 64

Brian

"whitewaterbug" <whitew...@gmail.com> wrote in message
news:cd0da5fe-7efa-4bc9...@d23g2000yqc.googlegroups.com...

[whitewaterbug]

On Nov 21, 10:01 pm, "Brian Komar" <brian.ko...@nospam.identit.ca>
wrote:

> No.
> Per RFC 5280, the common name attribute must enforce a maximum of 64
> characters:
>
> --  specifications of Upper Bounds MUST be regarded as mandatory
> --  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
> --  Upper Bounds
>
> -- Upper Bounds
> ub-common-name INTEGER ::= 64
>
> Brian
>

> "whitewaterbug" <whitewater...@gmail.com> wrote in message

>
> news:cd0da5fe-7efa-4bc9...@d23g2000yqc.googlegroups.com...
>
>
>
> > Guys,
>
> > Has anyone found a way to modify the maximum subject name size on
> > windows 2003 certificate services?
>
> > AD schema limits this to 64 characters.  People with longer names
> > don't quite fit in there.
>
> > Is there an ability to change the CN atttribute to > 64 in AD or is
> > there a way to pull from an AD attribute other than CN to populate the
> > subject name.
>
> > ILM has not been purchased, so it would have to work without any ILM

> > custom policy features.- Hide quoted text -
>
> - Show quoted text -

Thanks for the reply. Per this link:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itame.doc_6.0/rev/am60_install211.htm

All vendors except for MS are supporting larger values.

Even if I can't adjust the maximum size of the CN...can I change where
certificate services looks to build the subject name and then do a
custom schema extension?

[Paul Adare]

On Fri, 21 Nov 2008 22:22:10 -0800 (PST), whitewaterbug wrote:

> Thanks for the reply. Per this link:
>
> http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itame.doc_6.0/rev/am60_install211.htm
>
> All vendors except for MS are supporting larger values.
>
> Even if I can't adjust the maximum size of the CN...can I change where
> certificate services looks to build the subject name and then do a
> custom schema extension?

You've missed the point here. The limit in the RFC that Brian mentioned is
a PKI limit, not an LDAP limit. Even if you were able to change what
attribute Certificate Services uses for the Subject name (which you can't)
you wouldn't be able to issue the certificate if the CN was longer than 64
characters as it would violate the RFC.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca

[Brian Komar]

If you need to support a longer name, look at again following the RFC.
Issue a certificate with a blank (NULL) subject name.
Then implement the desired name in the Subject Alternative Name (SAN)
extension)
You must then mark the SAN as critical.
See the Domain Controller Authentication certificate template as an example.
Brian

"Paul Adare" <pka...@gmail.com> wrote in message
news:t2rhixsnvblv.1148neof6c2ch$.dlg@40tude.net...

[whitewaterbug]

On Nov 22, 9:22 am, "Brian Komar" <brian.ko...@nospam.identit.ca>
wrote:

> If you need to support a longer name, look at again following the RFC.
> Issue a certificate with a blank (NULL) subject name.
> Then implement the desired name in the Subject Alternative Name (SAN)
> extension)
> You must then mark the SAN as critical.
> See the Domain Controller Authentication certificate template as an example.
> Brian
>

> "Paul Adare" <pkad...@gmail.com> wrote in message

>
> news:t2rhixsnvblv.1148neof6c2ch$.dlg@40tude.net...
>
>
>
> > On Fri, 21 Nov 2008 22:22:10 -0800 (PST), whitewaterbug wrote:
>
> >> Thanks for the reply.  Per this link:
>

> >>http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topi...

>
> >> All vendors except for MS are supporting larger values.
>
> >> Even if I can't adjust the maximum size of the CN...can I change where
> >> certificate services looks to build the subject name and then do a
> >> custom schema extension?
>
> > You've missed the point here. The limit in the RFC that Brian mentioned is
> > a PKI limit, not an LDAP limit. Even if you were able to change what
> > attribute Certificate Services uses for the Subject name (which you can't)
> > you wouldn't be able to issue the certificate if the CN was longer than 64
> > characters as it would violate the RFC.
>
> > --
> > Paul Adare
> > MVP - Identity Lifecycle Manager

> >http://www.identit.ca- Hide quoted text -

>
> - Show quoted text -

Thank you for your responses.

I see what you are referring to in 5280...however the CP does not
allow for a NULL subject name.

I do see your point about CN max size. Given that people can have
long names, 64 is the max CN, CN must have a number concatenated to
get uniqueness leaving less than 64 for actual name, and NULL subject
name is not allowed by policy, are there any options?

[Brian Komar]

Revise your policy.
Your CP is conflict with RFC 5280
Reference the RFC during your arguments.
I had a customer recently who also wanted to state no NULL subjects and
mentioned that they were in contradiction to the RFC
They changed the policy due to this
Brian

"whitewaterbug" <whitew...@gmail.com> wrote in message

news:1ae3ac6d-f79f-424e...@d32g2000yqe.googlegroups.com...