Certificate contains unknown critical extension
Issue
- ipa-cacert-manage install fails when attempting to add an intermediate CA certificate, citing "Certificate contains unknown critical extension." CA cert is a valid cert used in the trust chain for certain federal PIV cards.
$ ipa-cacert-manage install <certificate>.pem -t CT,C,C
Installing CA certificate, please wait
Not a valid CA certificate: certutil: certificate is invalid: Certificate contains unknown critical extension.
Environment
- RHEL 7 & 8
- IdM
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.