Issuer's V2 Certificate Revocation List has an unknown critical extension

russauld · ‎10-24-2018

The following messages appear repeatedly on my servers in /var/log/centrify_mapper_error.log

Doing /var/centrify/net/certs
Doing /var/centrify/net/certs
Doing /var/centrify/net/certs
Doing /var/centrify/net/certs
Doing /var/centrify/net/certs
crlutil: unable to import CRL: SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION: Issuer's V2 Certificate Revocation List has an unknown critical extension.
Centrify Smart Card support is disabled.

Can these messages be ignored?

RHEL7.5

CentrifyDC-5.3.1-398.x86_64
CentrifyDC-openssh-7.2p2-5.3.1.391.x86_64

Robertson · ‎07-26-2012

@russauld,

Welcome to the Centrify forums. Although the question is not directly-related to Centrify (it's more a Public Key Infrastructure question), in general you really want to understand what PKI messages mean and document the message exception with your security teams.

What's happening here?

In Active Directory, most likely you have a PKI auto-enrollment policy that is issuing a certificate that does not have a mechanism to check its validity. This could be because the certificate revocation list is incorrect, unavailable, non existant or unreachable.

What you should do next?

Identify the offending certificate and discuss with your PKI SME regarding the validity of this cert, and why it does not have a validation mechanism.

Note that all other systems in scope of this GPO will have the same problem (regardless of being centrified or not).

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:

Centrify Infrastructure Services

Issuer's V2 Certificate Revocation List has an unknown critical extension

Issuer's V2 Certificate Revocation List has an unknown critical extension

Re: Issuer's V2 Certificate Revocation List has an unknown critical extension