This article explains how to add a critical extension to a newly generated certificate in SafeGuard LAN Crypt Administration 3.80 and above.
The SafeGuard LAN Crypt Administration component can generate self-signed certificates. These certificates can only be used by SafeGuard LAN Crypt. The certificates also have a critical extension to show applications that they must not be used. These are simple certificates (comparable to Class-1 certificates) which comply with the X.509 standard.
In SafeGuard LAN Crypt you can configure whether or not a critical extension is added to a newly generated certificate or not.
Known to apply to the following Sophos product(s) and version(s)
SafeGuard LAN Crypt Administration 3.90.0
SafeGuard LAN Crypt Administration 3.80
What To Do
- In Safeguard LAN Crypt Preferences select the Certificates tab.
- Check the option 'Add critical extension to new-created certificates'.
Important additional information about using critical extensions.
- In certain situations other applications will ignore these critical extensions on SafeGuard LAN Crypt certificates, which causes problems with these self-signed certificates.
In such cases you must explicitly deactivate all the areas of use for SafeGuard LAN Crypt certificates using the Microsoft Management Console’s certificate snap-in to prevent these certificates from being used in other applications.
- The certificates are assigned to the users within the SafeGuard Administration component.
- SafeGuard LAN Crypt only uses the Microsoft Crypto API for certificate functionality.
- SafeGuard LAN Crypt supports all Cryptographic Service Providers (CSPs) that comply with certain standards (e.g. RSA key length at least 1024 bits). They include, among others, the Microsoft Enhanced CSP.
Note: The Microsoft Standard CSP (Microsoft Base CSP) cannot be used.
If you have any questions about the compatibility of other CSPs, please contact the support team.