This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 13%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Hi,
I am trying to create a certificate for code signing within azure key vault (Web Portal).
Our official company name contains a + and - character.
Is there a restriction using those for the Subject entry
CN=... ?
as soon as either of those characters is entered the creation fails with
Code: BadParameter
Message: Something went wrong with the certificate creation.
Raw Error: Property policy.x509_props has invalid value. Invalid X.500 distinguished name
Am I forced to leave those characters out which most likely will result in rejection from the CA signing the CSR ?
Or is there a way to escape those characters to be included with the subject
regards
Andre Reschke
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 86%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Quoted values (CN="name, with comma") are accepted by Azure Key Vault, but only if you add another attribute (C/O etc.) after the CN
CN=name without comma - works
CN="name, with comma" - fails
C=US,CN="name, with comma" - works
CN="name, with comma",C=US - fails
Obviously a bug in Azure IMO.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 60%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
While adding another attribute (before or after) the CN did not get azure to accept the CN with comma in my case, I ended up omitting the comma and my CA seemed to accept it just fine.
@Andre Reschke
Thank you for your post!
I reproduced your issue and found that the only restricted character within your official company name for the Subject (CN), is the + symbol. I created a certificate with a dash - in the Subject, but had to follow our Relative Distinguished Name (RDN) guidelines as noted within our Create and merge a certificate signing request in Key Vault documentation, these guidelines didn't work when using the + symbol.
RDN Note:
If you're using a Relative Distinguished Name (RDN) that has a comma (,) in the value, wrap the value that contains the special character in double quotes.
Example: Subject: "CN=www.contosoHR-App.com"
From the error message we received Property policy.x509_props has invalid value. Invalid X.500 distinguished name, I found an Intune article - Create and assign SCEP certificate profiles in Intune, which details known issues when creating Certificates with an Intune specific feature - Simple Certificate Enrollment Protocol (SCEP).
Avoid certificate signing requests with escaped special characters
There's a known issue for SCEP and PKCS certificate requests that include a Subject Name (CN) with one or more of the following special characters as an escaped character. Subject names that include one of the special characters as an escaped character result in a CSR with an incorrect subject name.
The special characters are:
+, , , ;, =
When your subject name includes one of the special characters, use one of the following options to work around this limitation:
Based off our Intune and Key Vault certificate articles, I don't believe there's anyway to include the + symbol into your CN. However, I've reached out to our Azure Key Vault engineering team to get their inputs, and will update as soon as possible.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@Andre Reschke
Thank you for your time and patience throughout this issue!
When it comes to using the + symbol in your CN, Azure Key Vault currently doesn't support escaping methods for reserved characters such as the + symbol. If you'd like to feature to be implemented, I'd recommend leveraging our Key Vault User Voice forum and creating a feature request, so our engineering team can look into implementing this.
I've also created an internal feature request, so our engineering team is aware of this as well.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.