When trying to convert the PFX certificate with keytool:
keytool -importkeystore -srckeystore SomeCert.pfx -srcstoretype pkcs12 -srcstorepass SomePass -destkeystore SomeCert.jks -deststoretype jks -deststorepass SomePass
I get the following exception
keytool error: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
Also, when using jetty's PKCS12Import tool, as described here, I get the same exception.
The main cause is the following:
Caused by: java.io.IOException: Duplicate extensions not allowed
at sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:96)
at sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:70)
at sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:60)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:723)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:152)
... 92 more
I'm using Windows 7, JDK 8u25_x64.
Any ideas why this duplicate extensions problem is happening, and how can it be solved? When I use the certificate through a browser (e.g. to access the WSDL file for some WS, through Firefox) it works O.K.
Okay, so I found out the way to convert from PFX to JKS.
Here's the procedure, for future reference:
Step 1. convert the pfx to pem
Step 1.1. the private key
Step 1.2. the certificate
Step 2. create a keystore
Step 3. create a JKS keystore
For this OpenSSL needs to be installed, and Java to be added to PATH (so that keytool command is available).
If someone just needs to import to Java keystore a certificate with a private key, skip Step 1.