Sanitizing Common Names

The CNs of the Active Directory (as specified in [MS-ADTS]) objects used by the Windows Client Certificate Enrollment Protocol are created by sanitizing the names of other objects and shortening the sanitized name so that it does not exceed 57 characters, including spaces. The sanitized name MUST NOT exceed 57 characters in length. A name is sanitized by replacing disallowed characters with an exclamation point(!) followed by four hexadecimal values that represent the 16-bit character that is being replaced.

The following rules apply to creating a sanitized CN (short name):

  • All disallowed characters in the original name MUST be replaced with the appropriate replacements values as specified in section

  • The sanitized name MUST be truncated to no more than 51 characters in total length. The truncated name MUST NOT exceed 51 characters. If an incomplete sanitized character sequence remains at the end of the string (for example, !002 instead of !0023), the incomplete sequence MUST be truncated completely.

  • The characters that were removed or truncated from the sanitized string in the preceding bulleted item MUST be hashed according to the rules specified in section The resultant hash MUST be converted to a 5-character string. The string MUST be five characters in total length and MUST be padded with leading zeros on the left to ensure a total length of five characters.

  • A minus sign (–) MUST be appended to the truncated sanitized name followed by the 5-character string that contains the hash value.