Enrollment Questions

Error issuing certificates regarding users having the same Subject DN

If you get an error that a user cannot have the same Subject DN as another user, when you are issuing certificates, this is caused by a Enforce unique DN check.

By default, different end entities cannot have the same subject DN issued from one CA. The check enforces Subject DN uniqueness and is performed when new certificates are issued. 

This may be inconvenient in some cases as one user can appear as multiple end entities.

To disable the enforcement of subject DN uniqueness:


  1. In the CA GUI, click Certification Authorities under CA Functions.
  2. Click Edit CA and in the CA configuration, and clear the option Enforce unique DN.

For more information on the Enforce unique DN option, see CA Fields


I get an exception with an SQL error like "Value too large for column USERDATA.SUBJECTALTNAME" (or SUBJECTDN) when adding a new user?

This can happen if you have specified one or more fields of the "Subject Alternative Name" with a total length exceeding 255 characters. To avoid this problem you can safely extend the size of the column SUBJECTALTNAME and SUBJECTDN of the table USERDATA and SUBJECTDN of CERTIFICATEDATA.

An example for extending the subjectDN and altName columns in MySQL (version > 5.0.3) is:

mysql> alter table CertificateData modify subjectDN varchar(2048); 
mysql> alter table UserData modify subjectDN varchar(2048); 
mysql> alter table UserData modify subjectAltName varchar(2048);

With the new size of columns you can get problems applying indexes in some versions of databases, for example: 
""Specified key was too long; max key length is 767 bytes"

You can circumvent this by creating the index over a subset of the column:

mysql> create index certificatedata_idx4 ON CertificateData (subjectDN(250)); 

I have enrolled manually for a server - why are my PKCS10 DN fields Ignored?

PKCS#10 is a standard format for sending the public key (self signed to provide proof-of-possession) to a CA. EJBCA does not trust the DN parts the user enters when he creates the PKCS10 request. The only way to match the certificate with what you enter in the pkcs10 is to enter the same thing in the end entity in EJBCA. If you really trust your RAs that send certificate requests, there is an option "Allow DN Override" in Certificate Profiles that can be used. This is described more in detail in the doc