Follow

Error: The Request DN could not be created, the Common Name did not contain a valid Domain

Applies to:

All versions of Venafi Encryption Director and Venafi Trust Protection Platform

Symptom:

While renewing a certificate, you get an error:

Example if renewing with VeriSign/Symantec

The Request DN could not be created, the Common Name did not contain a valid Domain for the VeriSign Account

 

The_Request_DN_could_not_be_created_-error.png

Cause:

This error can typically be caused by any of these reasons.

  1. You are trying to enroll a certificate for a domain that you have not yet registered with your certificate authority
    or
  2. You have registered a new domain with your certificate authority, but have not re-validated your Certificate Authority Templates in the Policy Tree so that the authorized domain list can be updated.
  3. The Organization you have specified has a typo or is in a different format than what Verisign has on record.  Example: Having specified "Venafi inc" instead of "Venafi, inc." (note the comma and period).

More Info:

Depending upon the CA vendor you are enrolling with, the requested domain is in the Subject DN is checked against the cached list of authorized domains before enrollment processing begins (Stage 0).  You will receive this error if the common name or DNS Subject Alternative Names do not show up on the authorized cached domain lists.

Resolution:

  1. Look at the settings tab on the certificate template, locate the field "CA template"
  2. Make note of the CA template that is specified on the certificate
  3. Locate the CA template object in the policy tree
  4. Make note of the different settings on the CA template
  5. Click on the Validate/Retrieve button on the CA template to refresh the list of domains that are authorized.
  6. You may need to reset values like Organization, Certificate Template, or Validity Period on the object after you do a refresh.
  7. If the new domain does not appear, login to your CA templates management portal to make sure the domain you are trying to enroll appears on your domain list your Certificate Authority vendor provides.
  8. If it does not, contact your Certificate Authority Vendor for steps on how to add a new domain to the list of domains that you can request certificates for.

 

Example of a Mocked up VeriSign CA Template Object

2014-04-18_14-45-56.png

Was this article helpful?
0 out of 0 found this helpful

Comments