Hi, I'm using "Supply in the Request" in the CA and added the FIM Certificate Subject policy module (1.00). When using short text in the Subject fields (cn, ou, o, g, sn, title,...) that I defined, everything works fine. When trying to enter long text in those defined fields I get an error. Looking at dbo.Certificates I found that cert_issued_distinguished_name is limited to 1024 and that cert_issued_common_name is limited to 256. Is there a way to extend those values? or any other way to allow longer Subject strings? Avi

No. This is a limit imposed by the RFCs. If you are typing more than 1024 characters in a subject name, you really need to reconsider your naming scheme, to be quite honest. Brian

Brian thanks for your prompt response. I'm not sure about the reason I got rejected but as you can see, I surely didn't type 1024 chars in the subject field. CN = AAAAA BBB ID-123456789 OU = ABCDEFGHI Ltd. O = 112222223 C = IL SERIALNUMBER = 01-123456789 Are you sure the mentioned values (DN 1024, CN 256) are chars? Does CN 256 also defined by the RFC? Can you think of other reason why I get rejected? Just to be more clear, the CA issued the certificate but the FIM rejected the certificate insertion to the SC (no problem when it was with shorter Subject) so no problem in the Policy Module or Enrollment Policy as far as I understand. Avi

Um.... You cannot provide a serialnumber in the request. The serial number is randomy generated and assigned by the CA. (not exactly random, but based on an algorithm). Brian

What I wrote is what appears to be in the issued certificate. The field in the Subject is the DeviceSerialNumber and this is supported and appears as SERIALNUMBER in the Certificate. Avi

I do not believe that the MS CA supports this subject item. Try the request without that attribute and see what happens. Brian

Enhancing HKLM\system\CurrentControlSet\Services\CertSvc\Configuration\<CA>\SubjectTemplate will let you do so. I'll check my request again to see if there is something else in it but again, the CA issues the cert and the problem I run into is that the FIM rejects it (again, no problem when it was with shorter Subject). Avi

Enhancing HKLM\system\CurrentControlSet\Services\CertSvc\Configuration\<CA>\SubjectTemplate will let you do so. I'll check my request again to see if there is something else in it but again, the CA issues the cert and the problem I run into is that the FIM rejects it (again, no problem when it was with shorter Subject). Avi

I do not believe that the MS CA supports this subject item. Try the request without that attribute and see what happens. Brian I think this is not true, See http://social.technet.microsoft.com/Forums/en/ilm2/thread/dccc6daf-923d-4cf5-ab46-1d3669e0737d for more information. Martin

What I should have stated is that it is not supported by default, you have to make the modifications you have referenced in Anton's answer Sorry for the confusion Brian

Thanks Martin and Brian. As I said, I did enter the relevant saubject fields to the SubjectTemplate key. Anyway, it seems like it's working now after doing some changes in my CA configuration. Thanks agian. Avi.