How to expand the maximum extension size limit at AD CS

This article helps to resolve the issue in which Active Directory Certificate Services (AD CS) gives an error when attempting to issue certificates with more than 4 kilobytes (KB) size extensions.

Original KB number:   5017242

You may also see this error message in the certsrv logging:

CertSrv: Field length is greater than maximum 0xc80005e2 (ESE: -1506 JET_errColumnTooBig)

Note

Certsrv logging helps to determine the cause of the error. For more information on enabling the certsrv logging, see Certificate Enrollment Web Services in Active Directory Certificate Services.

Data stored in the custom extension has a limit of 4 KB

The data stored in the custom extension has a limit of 4 KB, which can be confirmed by running the following command as an administrator:

certutil -schema Ext

You can see the MaxLength property of ExtensionRawValue in the output:

C:\>certutil -schema Ext
Schema:
  Column Name                   Localized Name                Type    MaxLength
  ----------------------------  ----------------------------  ------  ---------
  ExtensionRequestId            Extension Request ID          Long    4 -- Indexed
  ExtensionName                 Extension Name                String  254
  ExtensionFlags                Extension Flags               Long    4
  ExtensionRawValue             Extension Raw Value           Binary  4096

CertUtil: -schema command completed successfully.

The limit can be expanded to 16 KB after installing one of the following or subsequent updates:

• Windows Server 2019 - July 21, 2022—KB5015880 (OS Build 17763.3232) Preview
• Windows Server 20H2 - July 26, 2022—KB5015878 (OS Builds 19042.1865, 19043.1865, and 19044.1865) Preview
• Windows Server 2022 - July 19, 2022—KB5015879 (OS Build 20348.859) Preview

Important

The next two sections contain instructions to modify the registry. Serious problems might occur if the registry is modified incorrectly. As a precaution, back up the registry before you modify it. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows.

Expand the limit by using Registry Editor

In Registry Editor, add the 0x1000 bitmask to the following registry key. Then, restart AD CS.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBFlags

Note

This setting should be done on all AD CS servers where expansion is required.

Expand the limit by using an administrative command prompt

Run the following commands to add 0x1000 to the DBFlags registry key value and then restart AD CS:

certutil -setreg DBFlags +0x1000
net stop certsvc && net start certsvc

Note

This setting should be done on all AD CS servers where expansion is required.

This setting causes an irreversible database operation to expand the limit permanently once the service is restarted.

After the expansion is complete and new backups are captured, you may consider destroying the old backups to prevent an accidental rollback.

Verify the limit settings

To verify the limit settings, run the following command as an administrator and check the MaxLength property of ExtensionRawValue in the output:

C:\>certutil -schema Ext

Schema:
  Column Name                   Localized Name                Type    MaxLength
  ----------------------------  ----------------------------  ------  ---------
  ExtensionRequestId            Extension Request ID          Long    4 -- Indexed
  ExtensionName                 Extension Name                String  254
  ExtensionFlags                Extension Flags               Long    4
  ExtensionRawValue             Extension Raw Value           Binary  16384

CertUtil: -schema command completed successfully.