1.3.1.6 Sanitizing Common Names
The common names (CNs) of Active Directory objects, as specified in [MS-ADTS], that are used by the enrollment protocol are created by sanitizing the names of other objects and shortening the sanitized name so that it does not exceed 57 characters, including spaces. Objects are defined as a collection of Lightweight Directory Access Protocol (LDAP) attributes. Attributes are defined as LDAP data types, as specified in [RFC2251] and [RFC4523].
The sanitized name must not exceed 57 characters (bytes) in length. A name is sanitized by replacing the disallowed characters with an exclamation point ("!") that is followed by four hexadecimal digits, together which form one value that represents the 16-bit character being replaced.
In the following example, the opening parenthesis ("(") is replaced with !0028, the number sign ("#") is replaced with !0023, the percent sign ("%") is replaced with !0025, and the caret ("^") is replaced with !005e.
-
Original Name: 'LongCAName(WithSpeci@#$%^Characters' Sanitized Name: 'LongCAName!0028WithSpeci@!0023$!0025!005eCharacters'
The algorithm for creating a sanitized name is specified in [MS-WCCE] section 3.1.1.4.1.1.