Issue: OS X 10.5.x & 10.6.x treats the “Name Constraints” extension as an unknown critical extension and therefore treats the certificate as invalid due to "unrecognized critical extension".
I know there are previous threads on this subject for current live certificates of particular agencies and DoD and we know that this issue is because OS X does not recognize the extension yet. I'm bringing this back up on the list because due this issue is likely to plague Federal OS X users and their customers for the foreseeable future until resolved by Apple since several proposed new Federal Bridge Certificates will likely have such a critical extension. This is news to me since the last posting on the subject, I had hoped newly issues certificates would not be effected but at this time that appears that will not be the case.
Complications: Since the effected Federal Bridge cross certificates will be found in the PKCS#7 bundles found via validation of AIA locations of Federal Agency certificates, applications that use OS X’s certificate security functionality including the OS X operating system itself, will treat certificates that are valid, falsely as invalid due to very outdated libraries. As mentioned in a previous post, the openSSL library has been updated to recognize and use the Critical Name Extension as of 0.9.8 released 5 years ago, and the PKI definition of the “Name Constraints” extension is now 12 years old. If this is the case, this is not an issue with the certificates, it is a case of severely out dated PKI libraries in OS X.
I have put in a bug report [which will likely get sent back as duplicate and closed] and am following up with Enterprise Support but since this issue has been occurring for 2 OS versions already with no response from Apple on related posts, I wanted to make the other Federal folks involved with PKI aware, that at this time, it appears we will be effected for the foreseeable future, until Apple addresses the issue. FPKI is being made aware of the issue but in looking at how long ago these extensions were defined in best practices documentation, it looks like the issue is on the Apple side, with OS X failing to recognize / utilize recent libraries, and not so recent standards.
Related Fed-Talk Posts:
Related name constraints noted on Fed-Talk April 2010
PKI Certificates - Unknown Critical Extensions causing problems...
“Also, it looks like the *key* security binaries and/or Frameworks are *STATICALLY* linked to the 'old' OpenSSL libraries”
Related name constraints noted on Fed-Talk December 2010
Related policy constraints noted on Fed-Talk October 2009
Backup Information:
OpenSSL 0.9.8 released Tue, 05 Jul 2005 [ Over 5 years ago ]
--->
* Added support for certificate policy mappings, policy
constraints and name constraints.
<---
IETF Document Definition of “Name Constraints” extension: January 1999 [12 Years ago]
Housley, et. al. Standards Track [Page 34]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
--->
4.2.1.11 Name Constraints