Unable intercept using intermediate CA, event log shows "Failed to create authority key identifier extension "

book

Article ID: 168703

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

- When intercept , it shows "page cannot be displayed"
- failed with all browser
- event log show error "Failed to create authority key identifier extension"
 

Cause

Intermediate CA is not correctly signed, it does not include "Authority key identifier (AKI)" in certificate field extension

Resolution

Resign the certificate and make sure the AKI is included in the extension, you may check it by opening the certificate >>> detail>>>extension

Authority Key Identifier

The Authority Key Identifier (AKI) extension provides a means to identify the public key of the CA that validates the signature on a CRL. This identification is based on either the subject key identifier (SKI) or the issuer name and serial number from the certificate that is issued by the CRL issuer. The AKI extension is useful in cases when a CRL issuer has more than one signing key.

An organization that expects its PKI certificates to be used by other Windows Server 2003 PKIs must populate the Authority Key Identifier extension with a unique key identifier and an issuer name and serial number. The Windows Server 2003 PKI attempts to construct certificate chains by using the issuer name and serial number in the AKI first, and then the subject key identifier.