question

MarcinB-7160 avatar image
0 Votes"
MarcinB-7160 asked Crypt32 commented

Deploy Sub CA using certificate with custom critical extension

Hello all,

I'm trying to set up sub CA on Windows Server 2016 using certificate signed by external root CA, and this certificate contains custom extension marked as critical. When selecting this certificate, I'm getting error:

Active Directory Certificate Services setup failed with the following error: A certificate contains an unknown extension that is marked 'critical'. 0x800b0105 (-2146762491 CERT_E_CRITICAL)


I tried to create CAPolicy.inf file:

 [Version]
 Signature=”$Windows NT$”
 [Extensions]
 2.23.148.1.20=
 Critical=True

but this doesn't helped.
How I can use this certificate?

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Crypt32 avatar image
0 Votes"
Crypt32 answered Crypt32 commented

And why it is marked critical? You should not mark this extension critical in your CAPolicy.inf file and re-generate request. It isn't going to work otherwise.

Update:
It isn't going to work. Any application that doesn't recognize this particular extension will fail certificate validation and will reject the certificate. It is specified in RFC 5280 §4.2, specifically:

A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process.

In given case, Windows (and it is not only CA, but entire Microsoft CryptoAPI subsystem) does not understand this custom extension and cannot process, thus it fails. As I said, it won't work on any RFC-compliant platform/OS.





· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

it is required by external company standard, which is signing our sub CA csr.

0 Votes 0 ·

see updated response.

0 Votes 0 ·