Certificate Services and Unsupported Critical Extensions

Because of the need to have Active Directory operating over SSL, Active Directory Certificate Services were setup in our environment. For those unfamiliar with Active Directory Certificate Services, it is essentially a Public Key Infrastructure for a Windows Environment that cleanly ties into IIS, LDAP, and anything else that needs to request certificates and have a parent certificate authority seamlessly sign requests (real purpose is shortened for brevity).

After the initial install of the services, some changes were made. The reason was because of a problem with using the Certificate Root Authority Certificate on a Java Application server to allow the certificates assigned to the domain controllers to be trusted. The specific error message was:

simple bind failed: sydney.arch.tamu.edu:636; nested exception is javax.naming.CommunicationException: simple bind failed: domain.server.fqdn:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions:]

These unsupported critical extensions are the SubjectAltName. From Windows Server 2003 to Windows Server 2008, the default Certificate Template for Domain Controller Authentication allows the requestor to specify their Subject Alternative Name, and when the certificate is issued, it is marked critical. Because Java doesn’t recognize this extension, it by default fails the certificate, resulting in the error message above.

After many hours of Google searching, I managed to find the article that fixes the problem. In essence, we have to change the Subject name format from None to Common name. To get to this option box, do the following:

  1. Open the Server Manager
  2. Expand Roles > Active Directory Certificate Services
  3. Click Certificate Templates
  4. Right click on Domain Controller Authentication and click properties
  5. Click the Subject Name tab
  6. Change the Subject name format drop-down option from None to Common name
  7. Click OK

This will change the settings for this template. However, if you have issued any Domain Controller certificates up to this point, you will need to revoke them and reissue new certificates.