Info: About the 255 maximum character length for DN Paths in TPP

Applies To:

All Versions of Venafi Trust Protection Platform


Every object in config (example, Discovery jobs, certificates, devices) are stored in a tree structure called config.  The full path + the name of the object is what we call the Object DN.

The maximum length that TPP supports for Object DNs is 255 characters.

The maximum number of containers/folders you can have in a config path is 64 folders.

More Details:

The root of the config tree is \VED.  Inside the \VED root is several sub trees, such as:

  • ACME
  • Clients
  • Shared Credentials
  • Discovery
  • Encryption
  • Code Signing
  • Identity
  • Engines
  • Logging
  • Licenses
  • Metadata Root
  • Intermediate and Root Certificates
  • Layout Root
  • Flow
  • Policy
  • Workflow Tickets
  • Secret Store
  • Console
  • Reports
  • Placement
  • Remote Access Root
  • Statistics
  • Upgrades
  • SSO

Not all of the branches of the Config Tree are visible in WebAdmin or WinAdmin - in fact, most are probably not. However, there are probably some familiar ones you see such as "Policy" and "Logging" and "Discovery".

For example, if you have the following structure for storing a specific certificate on the policy tree:

  • \VED\Policy\Certificates\Public\Teams\Cloud Infrastructure\

Your DN length would be 69 characters, well below the maximum 255.  TPP Counts everything from the beginning of \VED to the end of the last character of the object name, in this case the certificate object name is "".

In configuring your policy tree, it is best to NOT use long descriptive names in the folder path, because if you do several levels of that it is easier for end users to run into the 255 character maximum during normal operations.

Today, there aren't any places in the product that will warn you prior to an action that you are going to violate the 255 character limit, but in the process of creating, moving, or renaming objects, if you violate the 255 character limit or the 64 folder depth limit, you will have a config error returned to your console you are using and the action will not complete successfully.


Characters Not Allowed in Object Names:

While we are on the topic, it's worth calling out that when naming objects, the name needs to meet the following requirements:

  • Cannot be Empty/Null
  • Cannot contain a a backslash (\) character
  • Cannot contain a less-than (<) character


Was this article helpful?
2 out of 2 found this helpful