Enrollment Questions

I get an error that a user can not have the same Subject DN as another user appears when issuing certificates?

Since EJBCA 3.10 different end entities can not, by default, have the same subject DN issued from one CA. This is to enforces subject DN uniqueness. In some cases this is not convenient because one user can appear as multiple end entities.

You can enable/disable this function in the "Edit Certificate Authorities" screen in the CA GUI. In the CA configuration uncheck 'Enforce unique DN'.

I get an exception with an SQL error like "Value too large for column USERDATA.SUBJECTALTNAME" (or SUBJECTDN) when adding a new user?

This can happen if you have specified one or more fields of the "Subject Alternative Name" with a total length exceeding 255 characters. To avoid this problem you can safely extend the size of the column SUBJECTALTNAME and SUBJECTDN of the table USERDATA and SUBJECTDN of CERTIFICATEDATA.

An example for extending the subjectDN and altName columns in MySQL (version > 5.0.3) is;

mysql> alter table CertificateData modify subjectDN varchar(2048);
mysql> alter table UserData modify subjectDN varchar(2048);
mysql> alter table UserData modify subjectAltName varchar(2048);

With the new size of columns you can get problems applying indexes in some versions of databases, for example:
""Specified key was too long; max key length is 767 bytes"

You can circumvent this by creating the index over a subset of the column:

mysql> create index certificatedata_idx4 ON CertificateData (subjectDN(250));        

I have enrolled manually for a server - why are my PKCS10 DN fields Ignored?

PKCS#10 is a standard format for sending the public key (self signed to provide proof-of-possession) to a CA. EJBCA does not trust the DN parts the user enters when he creates the PKCS10 request. The only way to match the certificate with what you enter in the pkcs10 is to enter the same thing in the end entity in EJBCA. If you really trust your RAs that send certificate requests, there is an option "Allow DN Override" in Certificate Profiles that can be used. This is described more in detail in the doc