NetWorker Java keytool importing CA certificate results in Unparseable AuthorityInfoAccess extension due to java.io.IOException: invalid URI name"
요약: When attempting to import a CA certificate using Java's keytool binary. The following error is produced. ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException: invalid URI name:file:// \SAMPLE.string.comCertEnrollSAMPLE.string.com ...
이 문서는 다음에 적용됩니다.
이 문서는 다음에 적용되지 않습니다.
이 문서는 특정 제품과 관련이 없습니다.
모든 제품 버전이 이 문서에 나와 있는 것은 아닙니다.
증상
When attempting to import a CA certificate using Java's keytool binary. The following error is produced:
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException:
Invalid URI name:file:// \\SAMPLE.string.com\CertEnroll\SAMPLE.string.com
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false Unparseable AuthorityInfoAccess extension due to java.io.IOException:
Invalid URI name:file:// \\SAMPLE.string.com\CertEnroll\SAMPLE.string.com
원인
The problem is with OID 1.3.6.1.5.5.7.1.1 which is the Authority Information Access Extension. The General Name encoding of the URI is incorrect. Oracle s JVM tries to parse the extension and encounters the problem.
해결
This is not a NetWorker issue.
See RFC 2459 
Generate the CA with the correct URI encoding or without URI. Steps for importing the CA certificate are outlined in the below "Notes" section and in the "NetWorker Security Configuration Guide." See the documentation for your NetWorker version. https://www.dell.com/support/product-details/en-us/product/networker/docs
추가 정보
Identify your Java install path:
Linux
If using NetWorker Runtime Environment (NRE): /opt/nre/java/latest
If using Oracle Java Runtime Environment (JRE): /usr/java/latest
If using Oracle Java Runtime Environment (JRE): /usr/java/latest
Windows:
If using NetWorker Runtime Environment (NRE): C:\Program Files\NRE\java\jre#.#.#_### (Version folder varies depending on the NRE version installed).
If using Oracle Java Runtime Environment (JRE), the install path varies depending on the options selected during install.
If using Oracle Java Runtime Environment (JRE), the install path varies depending on the options selected during install.
How to correctly import a CA certificate:
Check to see if a certificate has been imported for your LDAPS server:
java_path/bin/keytool -list -keystore java_path/lib/security/cacerts -storepass changeit
NOTE:JAVA's default keytool password is changeit
Optionally, if the keystore contains expired trusted Java certificates for the LDAPS server, delete the certificates:
java_path/bin/keytool -delete -alias ALIAS_NAME -keystore java_path/lib/security/cacerts -storepass changeit
It is recommended to use openssl to validate the certificate on the NetWorker server:
openssl s_client -showcerts -connect LDAPS_server:636
NOTE: The output of this command lists the root Certificate Authority (CA) certificate, and any Intermediate certificate (if used). By default Windows does not include the openssl program. The OpenSSL website describes how to download and install the program. Optionally, the command can be run on a Linux host (if available in the environment). The output of the command can be copied to the NetWorker server.
Create a file for each certificate, for example:
- Intermediate Certificate One: ICA1.crt
- Intermediate Certificate Two: ICA2.crt
- Root Certificate: RCA.crt
NOTE: If OpenSSL shows only one certificate, there are no intermediate certificates. The certificate configuration varies depending on the environment configuration. Import the certificate chain in the order shown in OpenSSL: the first certificate is the last intermediate certificate, and the last is the root CA.
The certificates can be imported by running the Java keytool program:
For any intermediate certificates in a certificate chain:
java_path/bin/keytool -import -alias ICA1 -keystore java_path/lib/security/cacerts -storepass "password" -file ICA1_certificate_file java_path/bin/keytool -import -alias ICA2 -keystore java_path/lib/security/cacerts -storepass "password" -file ICA2_certificate_file ...and so forth
For the root CA:
java_path/bin/keytool -import -alias CA -keystore java_path/lib/security/cacerts -storepass "password" -file rootCA_certificate_file
If no errors are reported, Enter "yes" to trust the certificate.
Once the certificate files have been imported, restart the NetWorker server services. This is required in order for the authentication service (authc) to re-read the cacerts file and load the certificates.
Once the certificate files have been imported, restart the NetWorker server services. This is required in order for the authentication service (authc) to re-read the cacerts file and load the certificates.
Linux:
systemctl restart networker
Windows:
net stop nsrd net start nsrd
해당 제품
NetWorker제품
NetWorker, NetWorker Management Console문서 속성
문서 번호: 000032279
문서 유형: Solution
마지막 수정 시간: 14 3월 2025
버전: 5
다른 Dell 사용자에게 질문에 대한 답변 찾기
지원 서비스
디바이스에 지원 서비스가 적용되는지 확인하십시오.