Issuer's V2 Certificate Revocation List has an unknown critical extension

Showing results for 
Search instead for 
Do you mean 
Reply
Participant I
Posts: 1
Registered: ‎10-24-2018
#1 of 2 525

Issuer's V2 Certificate Revocation List has an unknown critical extension

The following messages appear repeatedly on my servers in /var/log/centrify_mapper_error.log

 

Doing /var/centrify/net/certs
Doing /var/centrify/net/certs
Doing /var/centrify/net/certs
Doing /var/centrify/net/certs
Doing /var/centrify/net/certs
crlutil: unable to import CRL: SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION: Issuer's V2 Certificate Revocation List has an unknown critical extension.
Centrify Smart Card support is disabled.

 

Can these messages be ignored?

 

RHEL7.5

CentrifyDC-5.3.1-398.x86_64
CentrifyDC-openssh-7.2p2-5.3.1.391.x86_64

 

Highlighted
Centrify Guru I
Posts: 2,431
Registered: ‎07-26-2012
#2 of 2 520

Re: Issuer's V2 Certificate Revocation List has an unknown critical extension

@russauld,

 

Welcome to the Centrify forums.  Although the question is not directly-related to Centrify (it's more a Public Key Infrastructure question), in general you really want to understand what PKI messages mean and document the message exception with your security teams.

 

What's happening here?

In Active Directory, most likely you have a PKI auto-enrollment policy that is issuing a certificate that does not have a mechanism to check its validity.  This could be because the certificate revocation list is incorrect, unavailable, non existant or unreachable.

 

What you should do next?

Identify the offending certificate and discuss with your PKI SME regarding the validity of this cert, and why it does not have a validation mechanism.

 

Note that all other systems in scope of this GPO will have the same problem (regardless of being centrified or not).

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: