KB Article #61204

Certificates with critical extensions do not import into Interchange

Problem

Interchange fails to import a new certificate into a partner profile. The following kind of error appears in the UI logs when trying to import:
"Caused by: Error at path index 1: com.cyclonecommerce.crossworks.CertificateExtensionException: Unhandled CRITICAL extension"


Resolution

This kind of error occurs when one or more of the public key certificates in the chain being imported contains one or more extensions that have been designated as critical when such extensions are not critical to Interchange. For example, if a certificate indicates that "Subject alt name" has been designated as Critical, that is an unacceptable critical extension for Interchange. The full log error entry for this particular extension is as follows: "Unhandled CRITICAL extension: OBJECT ID = subjectAltName



According to RFC 5280 found at (https://tools.ietf.org/html/rfc5280)
A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized [...]



Continuing the example from above, since a certificate extension for "Subject alt name" has been marked as Critical, Interchange must reject the certificate to be in compliance with RFC 5280. Unfortunately, this means that Interchange will not be supporting any partner''s certificates which contain critical policy constraints.



By way of background, Interchange only supports three critical extensions: keyUsage, basicConstraints and policyConstraints. As of Interchange 5.10.1 SP7 and later, Interchange also supports the critical extension extKeyUsage.



When an extension is marked as critical, the certificate user (i.e., Interchange) must ensure that the certificate is being used according to the constraints in the extension. Interchange does not really have any mechanisms in place to ensure that certificates are used according to those usages found in subjectAltName. (See section 4.2.1.6. of RFC 5280.) Thus, Interchange does not support subjectAltNameas a critical extension.



As an aside, it is very uncommon to mark the subjectAltName extension as critical.