Certificate for Active Directory with Invalid Extensions Provokes java.security.cert.CertificateException

(Doc ID 1549669.1)

Last updated on APRIL 09, 2017

Applies to:

Java SE JDK and JRE - Version 1.5.0 to 7 [Release 1.5 to 7]
Microsoft Windows x64 (64-bit)


After upgrading the internal Root CA (Microsoft Active Directory CA Cert),  the “Domain Controller Authentication” certificate has a blank subject field and the Subject Alternate Name (SAN) field is marked critical on the “Domain Controller Authentication” certificate. From Windows Server 2003 to Windows Server 2008, the default Certificate Template for Domain Controller Authentication allows the requestor to specify their Subject Alternative Name and when the certificate is issued, it is marked critical. The Subject Alternative Name critical extension is not a Java supported critical extension and therefore Java emits the following error and client fails to connect to server.



Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms