And why it is marked critical? You should not mark this extension critical in your CAPolicy.inf file and re-generate request. It isn't going to work otherwise.
Update:
It isn't going to work. Any application that doesn't recognize this particular extension will fail certificate validation and will reject the certificate. It is specified in RFC 5280 §4.2, specifically:
A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.
In given case, Windows (and it is not only CA, but entire Microsoft CryptoAPI subsystem) does not understand this custom extension and cannot process, thus it fails. As I said, it won't work on any RFC-compliant platform/OS.