问题
When trying to convert the PFX certificate with keytool:
keytool -importkeystore -srckeystore SomeCert.pfx -srcstoretype pkcs12 -srcstorepass SomePass -destkeystore SomeCert.jks -deststoretype jks -deststorepass SomePass
I get the following exception
keytool error: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
Also, when using jetty's PKCS12Import tool, as described here, I get the same exception.
The main cause is the following:
Caused by: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:96)
at sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:70)
at sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:60)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:723)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:152)
... 92 more
I'm using Windows 7, JDK 8u25_x64.
Any ideas why this duplicate extensions problem is happening, and how can it be solved? When I use the certificate through a browser (e.g. to access the WSDL file for some WS, through Firefox) it works O.K.
回答1:
Okay, so I found out the way to convert from PFX to JKS.
Here's the procedure, for future reference:
Step 1. convert the pfx to pem
Step 1.1. the private key
openssl pkcs12 -in SomeFile.pfx -nocerts -out privatekey.pem
Step 1.2. the certificate
openssl pkcs12 -in SomeFile.pfx -clcerts -nokeys -out certificate.pem
Step 2. create a keystore
openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -certfile certificate.pem -name "some name" -out keystore.p12
Step 3. create a JKS keystore
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -destkeystore JKS
For this OpenSSL needs to be installed, and Java to be added to PATH (so that keytool command is available).
If someone just needs to import to Java keystore a certificate with a private key, skip Step 1.
来源:https://stackoverflow.com/questions/27189648/converting-a-pfx-certificate-to-a-jks-gives-duplicate-extensions-not-allowed-e