Fix 0X8009480F: DNS name unavailable for Subject Alt Name

You're submitting a certificate request and get slapped with CERTSRV_E_SUBJECT_DNS_REQUIRED (0X8009480F). The message says the DNS name is unavailable and can't be added to the Subject Alternate Name. I've seen this a hundred times. The CA is trying to verify that the DNS name in your SAN actually exists in DNS, and it can't find it.

The root cause is almost always one of two things: either you typed a hostname that doesn't match any DNS record, or the CA is configured to enforce DNS validation on SAN entries. Here's how to kill this error fast.

The 30-second fix: Submit without the problematic SAN

If you don't actually need that DNS SAN, just drop it. This works when you're requesting a cert for a server that uses a different name or IP. Regenerate your request file without the SAN attribute.

If you're using certreq with an INF file, open it and remove the san section entirely. For example:

[NewRequest]
Subject = "CN=mywebserver, DC=contoso, DC=com"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[Extensions]
2.5.29.17 = "{text}DNS=mywebserver.contoso.com"

Delete the [Extensions] section or replace the SAN line with an empty string. Then resubmit. If the CA has the 'Supply in the request' template configured without requiring SAN, you're done.

But if your template requires a SAN (like a web server template), you'll crash on submission again. That's when you move to the moderate fix.

The 5-minute fix: Create a DNS A or CNAME record

This is the proper fix when you actually need that DNS name. The CA's policy module is trying to resolve the SAN value via DNS. If it fails, you get 0X8009480F. Go to your DNS server and add a record for the hostname you specified.

For an internal CA, the DNS zone is usually Active Directory integrated. Open DNS Manager on your domain controller. Create an A record pointing to the IP of the machine requesting the cert. If it's a web server behind a load balancer, use a CNAME that matches the SAN.

Once the record is live, wait for AD replication (or force it with repadmin /syncall). Then resubmit the request. The CA will resolve the name and the error disappears.

One gotcha: the CA itself must be able to resolve that DNS name. Run nslookup mywebserver.contoso.com from the CA server. If it fails, your record isn't propagating or you're pointing to the wrong DNS server.

The 15-minute fix: Disable DNS SAN validation on the CA

If you can't add a DNS record (maybe it's a temporary name or an internal alias), you can disable the CA's DNS lookup for SAN entries. This is the nuclear option. It weakens security, so only do it if you understand the implications.

The CA uses a policy module called 'Certificate Authority' that checks SAN entries. To bypass DNS validation, you need to edit the registry on the CA server. Back it up first.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\[CA Name]

Look for a DWORD value named EditFlags. If it doesn't exist, create it. Set the value to 0x00040000 (which is 262144 in decimal). This adds the 'EDITF_ATTRIBUTESUBJECTALTNAME2' flag that disables DNS validation for SANs.

After changing it, restart the Certificate Services service:

net stop certsvc && net start certsvc

Now try your submission again. The CA won't even attempt to resolve the DNS name. It'll issue the cert as long as the SAN format is valid.

I've seen this cause headaches when someone uses a SAN like 'webserver' without the domain suffix. The CA can't resolve a short name. The registry flag skips that check entirely.

When none of these work

If you still get the error, check the CA's audit log for more detail. Open Event Viewer, go to Applications and Services Logs > Microsoft > Windows > CertificateServices > Operational. Look for event ID 4886 or 4887. The details often show exactly which name failed resolution.

Also verify the certificate template you're using. Some templates (like 'Web Server') have the 'Supply in the request' option enabled but require a SAN. Open the Certificate Templates snap-in, check the template properties, and look at the 'Subject Name' tab. If 'DNS name' is listed as 'Required', then the CA will always try to validate it.

Last resort: switch the template to 'Email' or 'Common name only' for the subject, and don't use SAN at all. That avoids the error completely.

In 14 years, I've fixed this error at least 30 times. The registry edit is my go-to when the DNS team is slow to add records. But if you can, create the DNS record. It's cleaner and keeps your CA security intact.