Before you configure certification authorities (CAs) in your organization, you should establish a CA naming convention.

Names for CAs cannot be more than 64 characters in length. You can create a name by using any Unicode character, but you might want to use the ANSI character set if interoperability is a concern. For example, certain types of routers will not be able to use the Network Device Enrollment Service to enroll for certificates if the CA name contains special characters such as an underscore.


If you use non-Latin characters (such as Cyrillic, Arabic, or Chinese characters), your CA name must contain fewer than 64 characters. If you use only non-Latin characters, your CA name can be no more than 37 characters in length.

In Active Directory Domain Services (AD DS), the name that you specify when you configure a server as a CA becomes the common name of the CA, and this name is reflected in every certificate that the CA issues. For this reason, it is important that you do not use the fully qualified domain name for the common name of the CA. This way, malicious users who obtain a copy of a certificate cannot identify and use the fully qualified domain name of the CA to create a potential security vulnerability.

The CA name does not have to be identical to the name of the computer. However, you cannot change the name of a server after Active Directory Certificate Services (AD CS) has been installed without invalidating all the certificates issued by the CA.

To change the server name after AD CS has been installed, you must uninstall the CA, change the name of the server, reinstall the CA, and reissue all the certificates issued by the CA.

You do not have to reinstall a CA if you rename a domain; however, you will have to reconfigure the CA to support the name change.

Additional references