Problem doing an SSL bind to Active Directory w/new cert

Hi,

The windows sysadmin had a problem with the certificate authority and had to rebuild it and then re-issue all the certs. I got the new authority's public key, but now when I try to bind to Active Directory, I get the following message:

javax.naming.CommunicationException: simple bind failed:

mbot.its.wfo.linfield.edu:636. Root exception is

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:

Certificate contains unknown critical extensions: [2.5.29.17]

The sysadmin tells me that all the windows boxes are back and working just fine with the new certificates, and it was no problem to import it into Firefox. So what does that message mean, and what needs to be done to fix it?

Thanks,

Rob Tanner

Linfield College

[811 byte] By [theCheshireCata] at [2007-10-2 0:42:46]

«« CGI post method
»» repost: Newbie needs help

# 1

I'm sorry I cannot tell you how to fix it, but I can tell you what it means. X509 v3 certificates can have additional optional fields called extensions. The idea was to allow certificate functionality to expand over time. The problem is that a ceritificate-enabled application developed in year X cannot be expected to know about a new extension someone thought to add to new certificates after year X. So, extensions have a special boolean flag called the critical flag. If the extension has the critical flag set to true, then if the application doesn't not understand the meaning of the flag they are supposed to reject the certificate. If the critical flag is set to false, then the application is free to simply ignore the extension if it doesn't know what it is.

The particular extension being complained about has OID 2.5.29.17., which is subjectAlternativeName. This is a very common extension, so it is surprising that the Certificate class doesn't recognize it. Are you maybe using some very old classes?

ghstarka at 2007-7-15 16:57:29 >

top of Java-index,Security,Other Security APIs, Tools, and Issues...

# 2

Hi Guys,

We are also experiencing the same exception while using certificate created based on "Domain Controller Authentication" template:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:

Certificate contains unknown critical extensions: [2.5.29.17]

Is there any way to workaround this issue? Please provide your feedback asap.

Thanks,

Nauty

nautya at 2007-7-15 16:57:29 >

# 3

I've just run into the same issue. I don't believe I am using any older classes. Anyone resolve this issue?

Stangya at 2007-7-15 16:57:29 >

# 4

Did you ever find a resolution to this? It seems that after we upgraded our Windows Cert Authority to Windows 2003 Enteprise Edition and all the DC's got new certs based on the Domain Controller Authentication template that some legacy applications that use netscapes cert7.db certificate stores fail LDAP over SSL. Microsfot is at a loss and so far so is the vendor of the particular application that uses the netscape store (PeopleSoft) Any help would be appreciated.

cevans999a at 2007-7-15 16:57:29 >

Security

Other Security APIs, Tools, and Issues

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Problem doing an SSL bind to Active Directory w/new cert

Security New Topic

Security Hot Topic

Security

All Classified