NetWorker Java keytool importing CA certificate results in Unparseable AuthorityInfoAccess extension due to java.io.IOException: invalid URI name"
Summary: When attempting to import a CA certificate using Java's keytool binary. The following error is produced. ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException: invalid URI name:file:// \SAMPLE.string.comCertEnrollSAMPLE.string.com ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
When attempting to import a CA certificate using Java's keytool binary. The following error is produced:
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException:
Invalid URI name:file:// \\SAMPLE.string.com\CertEnroll\SAMPLE.string.com
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException:
Invalid URI name:file:// \\SAMPLE.string.com\CertEnroll\SAMPLE.string.com
Cause
The problem is with OID 1.3.6.1.5.5.7.1.1 which is the Authority Information Access Extension. The General Name encoding of the URI is incorrect. Oracle s JVM tries to parse the extension and encounters the problem.
Resolution
This is not a NetWorker issue.
See RFC 2459 
Generate the CA with the correct URI encoding or without URI. Steps for importing the CA certificate are outlined in the below "Notes" section and in the "NetWorker Security Configuration Guide." See the documentation for your NetWorker version. https://www.dell.com/support/product-details/en-us/product/networker/docs
Additional Information
Identify your Java install path:
Linux
If using NetWorker Runtime Environment (NRE): /opt/nre/java/latest
If using Oracle Java Runtime Environment (JRE): /usr/java/latest
If using Oracle Java Runtime Environment (JRE): /usr/java/latest
Windows:
If using NetWorker Runtime Environment (NRE): C:\Program Files\NRE\java\jre#.#.#_### (Version folder varies depending on the NRE version installed).
If using Oracle Java Runtime Environment (JRE), the install path varies depending on the options selected during install.
If using Oracle Java Runtime Environment (JRE), the install path varies depending on the options selected during install.
How to correctly import a CA certificate:
Check to see if a certificate has been imported for your LDAPS server:
java_path/bin/keytool -list -keystore java_path/lib/security/cacerts -storepass changeit
NOTE:JAVA's default keytool password is changeit
Optionally, if the keystore contains expired trusted Java certificates for the LDAPS server, delete the certificates:
java_path/bin/keytool -delete -alias ALIAS_NAME -keystore java_path/lib/security/cacerts -storepass changeit
It is recommended to use openssl to validate the certificate on the NetWorker server:
openssl s_client -showcerts -connect LDAPS_server:636
NOTE: The output of this command lists the root Certificate Authority (CA) certificate, and any Intermediate certificate (if used). By default Windows does not include the openssl program. The OpenSSL website describes how to download and install the program. Optionally, the command can be run on a Linux host (if available in the environment). The output of the command can be copied to the NetWorker server.
Create a file for each certificate, for example:
- Intermediate Certificate One: ICA1.crt
- Intermediate Certificate Two: ICA2.crt
- Root Certificate: RCA.crt
NOTE: If OpenSSL shows only one certificate, there are no intermediate certificates. The certificate configuration varies depending on the environment configuration. Import the certificate chain in the order shown in OpenSSL: the first certificate is the last intermediate certificate, and the last is the root CA.
The certificates can be imported by running the Java keytool program:
For any intermediate certificates in a certificate chain:
java_path/bin/keytool -import -alias ICA1 -keystore java_path/lib/security/cacerts -storepass "password" -file ICA1_certificate_file java_path/bin/keytool -import -alias ICA2 -keystore java_path/lib/security/cacerts -storepass "password" -file ICA2_certificate_file ...and so forth
For the root CA:
java_path/bin/keytool -import -alias CA -keystore java_path/lib/security/cacerts -storepass "password" -file rootCA_certificate_file
If no errors are reported, Enter "yes" to trust the certificate.
Once the certificate files have been imported, restart the NetWorker server services. This is required in order for the authentication service (authc) to re-read the cacerts file and load the certificates.
Once the certificate files have been imported, restart the NetWorker server services. This is required in order for the authentication service (authc) to re-read the cacerts file and load the certificates.
Linux:
systemctl restart networker
Windows:
net stop nsrd net start nsrd
Affected Products
NetWorkerProducts
NetWorker, NetWorker Management ConsoleArticle Properties
Article Number: 000032279
Article Type: Solution
Last Modified: 14 Mar 2025
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.