Deploy Sub CA using certificate with custom critical extension

Marcin B 1 Reputation point
2021-11-02T08:32:03.42+00:00

Hello all,

I'm trying to set up sub CA on Windows Server 2016 using certificate signed by external root CA, and this certificate contains custom extension marked as critical. When selecting this certificate, I'm getting error:

Active Directory Certificate Services setup failed with the following error: A certificate contains an unknown extension that is marked 'critical'. 0x800b0105 (-2146762491 CERT_E_CRITICAL)

I tried to create CAPolicy.inf file:

[Version]
Signature=”$Windows NT$”
[Extensions]
2.23.148.1.20=
Critical=True

but this doesn't helped.
How I can use this certificate?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vadims Podāns 8,081 Reputation points Microsoft MVP
    2021-11-02T13:46:30.927+00:00

    And why it is marked critical? You should not mark this extension critical in your CAPolicy.inf file and re-generate request. It isn't going to work otherwise.

    Update:
    It isn't going to work. Any application that doesn't recognize this particular extension will fail certificate validation and will reject the certificate. It is specified in RFC 5280 §4.2, specifically:

    A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.

    In given case, Windows (and it is not only CA, but entire Microsoft CryptoAPI subsystem) does not understand this custom extension and cannot process, thus it fails. As I said, it won't work on any RFC-compliant platform/OS.