My Oracle Support Banner

Certificate for Active Directory with Invalid Extensions Provokes (Doc ID 1549669.1)

Last updated on JANUARY 02, 2022

Applies to:

Java SE JDK and JRE - Version 1.5.0 to 7 [Release 1.5 to 7]
Microsoft Windows x64 (64-bit)


After upgrading the internal Root CA (Microsoft Active Directory CA Cert),  the “Domain Controller Authentication” certificate has a blank subject field and the Subject Alternate Name (SAN) field is marked critical on the “Domain Controller Authentication” certificate. From Windows Server 2003 to Windows Server 2008, the default Certificate Template for Domain Controller Authentication allows the requestor to specify their Subject Alternative Name and when the certificate is issued, it is marked critical. The Subject Alternative Name critical extension is not a Java supported critical extension and therefore Java emits the following error and client fails to connect to server.



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.