Certificate contains unknown critical extension

Solution In Progress - Updated -

Issue

  • ipa-cacert-manage install fails when attempting to add an intermediate CA certificate, citing "Certificate contains unknown critical extension." CA cert is a valid cert used in the trust chain for certain federal PIV cards.
$ ipa-cacert-manage install <certificate>.pem -t CT,C,C
Installing CA certificate, please wait
Not a valid CA certificate: certutil: certificate is invalid: Certificate contains unknown critical extension.

Environment

  • RHEL 7 & 8
    • IdM

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content