Skip to end of metadata
Go to start of metadata

The following errors may be produced by the certificate services UI.  This document provides a brief explanation for the error and possible solutions.  This list is not exhaustive–if the error isn't on this list, please contact with the error text.  

You do not have permission: Invalid wildcard

A wildcard can only be at the beginning of a domain name.  e.g. * is valid but clay.* is not. 


reformat using a valid wildcard

You do not have permission:  You are not an owner of <domain>

Your netid isn't authorized to request certificates for this domain.  This can have several causes:

  • Your domain doesn't exist, or has a typo in it.  (While this message is technically correct for this situation, we admit it isn't the most helpful).  
  • The domain's DNS is controlled by UW, but your NetID isn't authorized to administer it.  This is almost always the case for subdomains of and  
  • The domain's DNS isn't controlled by UW.  This is more likely for privately registered names like  
  • Use the "Verify DNS ownership" tool linked at the top of the Certificate Services page to verify you are authorized to administer this domain.  If you aren't authorized and aren't sure how to proceed, send email to  IAM specialists can look up the domain and recommend solutions.  
  • Check for typos in your CSR–transposing various letters in "washington" is by far the most common cause of this error (other than not actually being authorized for the domain).  If it's not a typo, send email to  IAM specialists can look up the domain and recommend solutions.  

You do not have permission:  InCommon says no permission 

This non-uw domain hasn't been validated with InCommon. 


This domain needs to be approved before certificates can be issued for it.  See Request a New Domain for InCommon CA Certificates

Could not verify DNS ownership:  CN or altName not valid

The CN or at least one altName didn't parse as a valid DNS name.  


Check for typos in your CSR.  Contact (include a copy of your CSR) if the error persists.  

The CA reports exception:  IO error to CA

This usually means the InCommon/Comodo API is unavailable.  

  • Check InCommon/Comodo status page at:  (Note "Comodo" re-branded to "Sectigo" in November 2018)
  • Outages are typically brief.  Try your request again in an hour, and contact if the error persists.  

invalid CSR problem parsing cert: java.lang.IllegalArgumentException: badly encoded request

This means there was a problem parsing the CSR.  The most common cause of this error is pasting in DNS names or other text instead of a base64 encoded public key plus metadata.  A CSR has the following format:

CSR example--non-functional

  • No labels