0X80094001

CERTSRV_E_BAD_REQUESTSUBJECT (0X80094001) Fix

Windows Errors Intermediate 👁 1 views 📅 May 26, 2026

This error pops up when your certificate request's subject name is too long or has invalid characters. The fix is to shorten it or clean up special chars.

When This Error Hits

You're submitting a certificate request to a Windows Server Certificate Authority (CA) — could be via certreq, MMC, or an autoenrollment script — and you get slapped with CERTSRV_E_BAD_REQUESTSUBJECT (0X80094001). The request subject name is either too long or contains characters the CA doesn't like. I've seen this most often when someone pastes a CN with spaces, commas, or Unicode characters, or when the subject string exceeds 64 characters for the CN field alone.

What's Actually Going On

The Windows CA enforces a hard 64-character limit on the Common Name (CN) in the subject. It also rejects certain special characters — commas, semicolons, angle brackets, and anything outside ASCII. The error is blunt: your subject string doesn't meet the certificate name encoding rules. The CA won't even try to issue the cert; it just bounces the request. No amount of retrying will help unless you fix the subject.

The Fix — Step by Step

  1. Check the subject length. Open your request file (INF or CSR) and count the characters in the CN field. If it's 65 or more, shorten it. Drop middle names, abbreviate organizational units, or use a shorter server name. I've had to rename servers to fit this limit more than once.
  2. Strip out bad characters. Remove commas (','), semicolons (';'), angle brackets ('<', '>'), ampersands ('&'), and any non-ASCII characters. Replace spaces with a hyphen or underscore if they're causing issues — though spaces themselves are OK as long as they don't break the encoding. Use only A-Z, a-z, 0-9, hyphens, periods, and spaces. That's it.
  3. Regenerate the request. If you're using certreq -new, edit the INF file. Make sure the Subject line looks like: 
    Subject = "CN=myshortname, OU=IT, O=MyCompany, L=City, S=State, C=US"
    Don't exceed 64 characters for CN. Run certreq -new request.inf request.req again.
  4. Submit the new request. Use certreq -submit request.req request.cer. If it still fails, you've still got a bad character or the CN is still too long.

If It Still Fails

Check the CA's Event Viewer logs under Applications and Services Logs > Microsoft > Windows > CertificateServices > Operational. You'll see a detailed error entry with the exact subject string that was rejected. Also check if the CA policy module has custom subject restrictions — some admins add regex filters that block certain patterns. Finally, make sure your request HTML header is correctly formed. A missing or malformed [NewRequest] section can cause parsing issues that look like a subject error.

Short CNs work. Long CNs don't. Stick to 64 characters or fewer and use plain ASCII. This won't change in future Windows Server versions — the limit is hardcoded.

I've seen this error on Windows Server 2012 R2 through 2022. The fix is always the same: shorten or clean the subject. Don't waste time on the CA configuration — the problem is in your request file.

Was this solution helpful?

CERTSRV_E_BAD_REQUESTSUBJECT 0X80094001 certificate request subject name too long Windows Server certificate authority invalid subject name certreq failed CA error fix AD CS subject length limit certificate request rejection 64-character subject limit special characters in certificate subject