Unable intercept using intermediate CA, event log shows "Failed to create authority key identifier extension "


Article ID: 168703


Updated On:


ProxySG Software - SGOS


- When intercept , it shows "page cannot be displayed"
- failed with all browser
- event log show error "Failed to create authority key identifier extension"


Intermediate CA is not correctly signed, it does not include "Authority key identifier (AKI)" in certificate field extension


Resign the certificate and make sure the AKI is included in the extension, you may check it by opening the certificate >>> detail>>>extension

Authority Key Identifier

The Authority Key Identifier (AKI) extension provides a means to identify the public key of the CA that validates the signature on a CRL. This identification is based on either the subject key identifier (SKI) or the issuer name and serial number from the certificate that is issued by the CRL issuer. The AKI extension is useful in cases when a CRL issuer has more than one signing key.

An organization that expects its PKI certificates to be used by other Windows Server 2003 PKIs must populate the Authority Key Identifier extension with a unique key identifier and an issuer name and serial number. The Windows Server 2003 PKI attempts to construct certificate chains by using the issuer name and serial number in the AKI first, and then the subject key identifier.