7 Replies Latest reply: Apr 29, 2010 9:28 AM by 127635 RSS

    OIM AD SSL - Certificate contains unsupported critical extensions

    645631
      I imported AD certificate into WebLogic java cacerts using keytool. I have done this numerous times before for jboss and it worked without any issues. However, now I am receiving the following error when I perform "Test Basic Connectivity" for AD using Diagnostic Dashboard:

      Caused by: javax.naming.CommunicationException: simple bind failed:adhostname:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]]
           at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
           at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
           at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
           at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)

      Also, OIM has the following bug:
      Bug 6736667
      Critical extensions in an SSL certificate are not supported.

      Can someone recommend the changes that need to be made on AD server for this error?

      Thanks!
        • 1. Re: OIM AD SSL - Certificate contains unsupported critical extensions
          Daniel Gralewski-Oracle
          I would say that you need somehow generate a new certificate to AD. This new certificate should NOT contain the non supported fields.

          Using Microsoft CA you probably can configure what are the fields and field values that will be used to create the certificate.

          Hope this helps
          • 2. Re: OIM AD SSL - Certificate contains unsupported critical extensions
            645631
            We issued a new certificate that has no critical extensions. It's seems really odd to me that the cert does not even contain the 2.5.29.17 extension, check the results of Target SSL Verification below for the AD cert:

            Certificate Extensions: 6
            [1]: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 06 1E 04 00 43 00 41 .....C.A

            [2]: ObjectId: 2.5.29.14 Criticality=false
            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: AB A1 E5 E0 0E 5A A9 9F 26 A5 03 7C A3 46 3C EE .....Z..&....F<.
            0010: 4A 61 02 A6 Ja..
            ]
            ]
            [3]: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 16 04 14 D9 E8 79 4E 0B F9 28 2C 58 C9 B4 93 ......yN..(,X...
            0010: 8A 25 85 31 E4 06 9C 4B .%.1...K
            [4]: ObjectId: 2.5.29.15 Criticality=false
            KeyUsage [
            DigitalSignature
            Key_CertSign
            Crl_Sign
            ]
            [5]: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
            Extension unknown: DER encoded OCTET string =
            0000: 04 03 02 01 01 .....

            [6]: ObjectId: 2.5.29.19 Criticality=false
            BasicConstraints:[
            CA:true
            PathLen:1
            ]

            Any other thoughts/recommendations?

            Thanks!
            • 3. Re: OIM AD SSL - Certificate contains unsupported critical extensions
              695047
              I have seen this a couple of times when a customer uses non standard AD CA certificates.

              I would suggest following Daniel's advice unless you have a big pile of spare time to spend on chasing down exactly why OIM's certificate parser doesn't like the certificate you are using. In any case it is highly unlikely that Oracle will fix any bugs you find.

              Best regards
              /Martin
              • 4. Re: OIM AD SSL - Certificate contains unsupported critical extensions
                645631
                The problem is resolved. The issue was not because of unsupported uncritical extensions as showed in the error message but because of the CA from which certs were imported.
                • 5. Re: OIM AD SSL - Certificate contains unsupported critical extensions
                  127635
                  Can you give details of your solution? We are facing the same issue and we'd like to solve it asap.
                  • 6. Re: OIM AD SSL - Certificate contains unsupported critical extensions
                    645631
                    Import the root certificate along with the certificates for each domain controller. Let me know if it still does not work.

                    Thanks,
                    Ruchi
                    • 7. Re: OIM AD SSL - Certificate contains unsupported critical extensions
                      127635
                      Actually, it turned out that we had to adjust the default as to how the MS CA that the AD used is configured its default cert template.

                      From:

                      http://webcache.googleusercontent.com/search?q=cache:_KMlGQRlhq8J:www.chrisweldon.net/2009/04/16/certificate-services-and-unsupported-critical-extensions+active+directory+subject+alternative+name+critical&cd=1&hl=en&ct=clnk&gl=ca


                      "[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical  extensions: 2.5.29.17]

                      These unsupported critical extensions are the SubjectAltName. From Windows Server 2003 to Windows Server 2008, the default Certificate Template for Domain Controller Authentication allows the requestor to specify their Subject Alternative Name, and when the certificate is issued, it is marked critical. Because Java doesn’t recognize this extension, it by default fails the certificate, resulting in the error message above.

                      After many hours of Google searching, I managed to find the article that fixes the problem. In essence, we have to change the Subject name format from None to Common name. To get to this option box, do the following:

                      1. Open the Server Manager
                      2. Expand Roles > Active Directory Certificate Services
                      3. Click Certificate Templates
                      4. Right click on Domain Controller Authentication and click properties
                      5. Click the Subject Name tab
                      6. Change the Subject name format drop-down option from None to Common name
                      7. Click OK

                      This will change the settings for this template. However, if you have issued any Domain Controller certificates up to this point, you will need to revoke them and reissue new certificates."

                      This is what we had to do in order to get the certs to work.