There are many reasons why a CSR may be invalid. When you create the CSR make sure:
- Your common name is an FQDN (Fully Qualified Domain Name, like example.com or sub.example.com)
- Check the common name field. You may have specified an IP address (e.g. 198.51.100.10) or a server name (e.g. mywebserver) instead of a Fully Qualified Domain Name such as www.example.com or example.com.
Also, error message can be caused by a Wildcard common name for a single- domain certificate (e.g.*.example.com) and vice versa (if example.com is specified in the common name field for a Wildcard certificate).
- Make sure you did not use any special characters when filling in the information required for CSR generation. Special characters are [! @ # $ % ^ ( ) ~ ? > < & / \ , . " ' _]
- Check the country field. If you are located in the United Kingdom, do not specify your country code when generating the CSR as "UK". It must be "GB".
- Make sure you have included the header and footer of the CSR into the enrollment form. The header and footer will look like:
----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST------
For a Windows-based server tags will look the following way:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST------
- Make sure that there are 5 dashes on each side of Begin and End certificate request. There should also be no trailing spaces in the CSR.