How to create SSL certificate with CSR and KEY self-created with very long CN?

I am using this website to generate KEY and CSR for me:
I want to create CSR and KEY with the following information:

  • Common Name (CN): yidongku.xx.xx, *.yidongku.xx.xx, filehosting.xxxxx.xx, *.filehosting.xxxxx.xx,, *, send-to-space.xx.xx, *.send-to-space.xx.xx, woshare.xx.xx, *.woshare.xx.xx,, *,, *,, *
  • Organization (O): My Company Co., Ltd.
  • Country (C): VN
  • Hashing Algorithm: SHA-256
  • Signing Algorithm: ECDSA
  • Key Size: 256

That website created me CSR and KEY, I used to create a certificate for me, I checked “I Have My Own CSR” then paste the CSR generated from the website and click “Download SSL Certificate”.
After a while, I received the error message:

{ "type": "urn:ietf:params:acme:error:badCSR", "detail": "Error finalizing order :: CN was longer than 64 bytes", "status": 400 }

The CN is very long, up to 318 characters. However, I don’t want to split it to register into multiple certificates, it is very inconvenient to renew.
Therefore, I would like to ask is there any way to register SSL certificate with CSR self-created and CN very long?
Thanks for any of your help!

1 Like

Hi @tanquang

please read your error message. Max. CN = 64 bytes.

PS: Looks like your definition is wrong. CN=one name. If your certificate should have additional domain names, you need a SAN list.

It’s wrong to add more then one domain name (comma separated) in the CN field.


I know, so I want to know if there is any solution to help me “bypass” the 64-character limit? Separating them from multiple registrations is very annoying, the renewal also takes a lot of time and I’m worried my domain name and IP will be limited.
I tried using * only in CN and I got the error:

{ "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Error finalizing order :: Order includes different number of names than CSR specifies", "status": 403 }

1 Like

CN will only parsed as single name by browser even if it’'s shorter then 64charactor.
you put on all the names in SAN extension (you need to do this anyway, as let’s encrypt reject if csr 's CN doesn’t included in it’s SAN extension.
if you better to let client write CSR for you. as LE only do DV certificate, your Organization and country name will be droped.


But OP isn’t using LE; he’s using (which uses a different CA). So he shouldn’t be posting here at all.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.