Java and SSL bind error with "critical extension unsupported"

 If you have an old version of Java and are trying to bind on 636 or LDAPS to a Domain Controller you will get this error if you certificate is not using the correct template:

Caused by: com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.CommunicationException: simple bind failed: dc.server.bear:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]]' naming exception occurred during processing.

This is your issue - the Subject is blank, this needs to be the server name:

You will need the change the Subject name format from None to Common name. To get to this option box, do the following:


1. Open the Server Manager
2. Expand Roles > Active Directory Certificate Services
3. Click Certificate Templates
4. Right click on Domain Controller Authentication and click properties
5. Click the Subject Name tab
6. Change the Subject name format drop-down option from None to Common name
7. Click OK

This will change the settings for this template. However, if you have issued any Domain Controller certificates up to this point, you will need to reissue new certificate.