SAN (SubjectAlternativeNames) are marked as critical in certificates.
When you specify at least one SAN for your new certificate via New-CertificateRequest.ps1
the SAN attribute icon has a yellow triangle with an exclamation mark.
This means, the attribute is critical. The reason is the code line 794 in New-CertificateRequest.ps1:
$SubjectAlternativeNamesExtension.Critical = $True
From AI:
You should mark the Subject Alternative Name (SAN) attribute as critical
if the certificate's Subject field is empty.
This is a requirement by RFC 5280:
if a certificate's only identity information is in the SAN extension, then that extension must be critical.
Could this be changed or at least be an optional parameter? Enhancement: Only mark it as critical if SubjectDN is empty.
SAN (SubjectAlternativeNames) are marked as critical in certificates.
When you specify at least one SAN for your new certificate via New-CertificateRequest.ps1
the SAN attribute icon has a yellow triangle with an exclamation mark.
This means, the attribute is critical. The reason is the code line 794 in New-CertificateRequest.ps1:
$SubjectAlternativeNamesExtension.Critical = $True
From AI:
You should mark the Subject Alternative Name (SAN) attribute as critical
if the certificate's Subject field is empty.
This is a requirement by RFC 5280:
if a certificate's only identity information is in the SAN extension, then that extension must be critical.
Could this be changed or at least be an optional parameter? Enhancement: Only mark it as critical if SubjectDN is empty.