Issuer's V2 Certificate Revocation List has an unknown critical extension
10-24-2018 10:20 AM
The following messages appear repeatedly on my servers in /var/log/centrify_mapper_error.log
crlutil: unable to import CRL: SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION: Issuer's V2 Certificate Revocation List has an unknown critical extension.
Centrify Smart Card support is disabled.
Can these messages be ignored?
10-24-2018 12:54 PM
Welcome to the Centrify forums. Although the question is not directly-related to Centrify (it's more a Public Key Infrastructure question), in general you really want to understand what PKI messages mean and document the message exception with your security teams.
What's happening here?
In Active Directory, most likely you have a PKI auto-enrollment policy that is issuing a certificate that does not have a mechanism to check its validity. This could be because the certificate revocation list is incorrect, unavailable, non existant or unreachable.
What you should do next?
Identify the offending certificate and discuss with your PKI SME regarding the validity of this cert, and why it does not have a validation mechanism.
Note that all other systems in scope of this GPO will have the same problem (regardless of being centrified or not).