jnlp扩展密钥用法不允许用于代码签名

Question

我遇到启动JNLP生成消息的情况： sun.security.validator.ValidatorException：扩展密钥用法不允许用于代码签名。

这是一个问题： 只有当我使用java的keytool生成私钥和csr，发送要签名的csr（没有code_sign扩展名），然后将签名证书以及中间和root ca导入最初创建的私钥时，才会出现问题＆＃ 39; s密钥库。完成此操作后，我使用公钥创建一个jar（并通过导入中间和root ca来尝试）并使用包含所有内容的密钥库对其进行签名。

你们中的一些人可能会想到自己没有捕获，这听起来是正确的。也许这就是问题......如果我使用openssl生成私钥和csr，问题就不会发生。一旦我这样做，我回到签名的证书（也没有code_sign扩展名）并创建一个p12，我用它来创建java密钥库： keytool -importkeystore -srckeystore combinedpubandpriv.p12 -srcstoretype PKCS12 -destkeystore newkeystore.jks -deststoretype JKS

以这种方式创建密钥库后，我将中间和根ca添加到其中，创建jar并对其进行签名而不会最终获得＆＃34;扩展密钥用法不允许用于代码签名＆＃34;。

所以这个问题有点双重。 1.为什么jar通过openssl创建private和csr后签名没有得到这个错误;和 2.通过java的keytool命令创建private和csr时是否有错误？

10/21更新： 我不能再复制了。但是这些是我在使用openssl生成的证书签署jar时使用的openssl命令：

[10/24：已删除步骤，因为它们不能准确反映我的运作方式]

10/24编辑：

我可以再次重现这一点。这是详细信息。

我得出的结论是java是：

1。将openssl生成的证书解释为自签名证书（因为它没有证书链）;或
2。如果没有代码签名EKU，则无法使用证书链大于1的证书运行jnlp。

使用这些步骤我不会收到标题中提到的错误：

1。 openssl genrsa -aes256 -out /home/user/ca/intermediate/private/myserver.key.pem -passout pass：password 2048
2。 openssl req -days 365 -config /home/user/ca/intermediate/openssl.cnf -out /home/user/ca/intermediate/csr/myserver.csr -key / home / user / ca /​​ intermediate / private / myserver。 key.pem -new -passin pass：password
3。 openssl ca -config /home/user/ca/intermediate/openssl.cnf -extensions server_cert -days 365 -notext -md sha256 -out /home/user/ca/intermediate/certs/myserver.cert.pem -infiles / home /用户/ CA /中间/ CSR / myserver.csr
4。 openssl pkcs12 -export -in /home/user/ca/intermediate/certs/myserver.cert.pem -inkey /home/user/ca/intermediate/private/myserver.key.pem -out / home / user / ca /​​ intermediate /certs/myserver.p12 -name testalias -password pass：password -passin pass：password
5。 keytool -importkeystore -srckeystore /home/user/ca/intermediate/certs/myserver.p12 -srcstoretype PKCS12 -destkeystore custom.jks -deststoretype JKS -srcstorepass password -deststorepass password
6。 keytool -importcert -alias rootca -file /home/user/ca/certs/ca.cert.pem -keystore custom.jks -v -rfc -storepass password
7。 keytool -importcert -alias intermediateca -file /home/user/ca/intermediate/certs/intermediate.cert.pem -keystore custom.jks -v -rfc -storepass password
8。 keytool -exportcert -alias testalias -file export.crt -keystore custom.jks -storepass password
9。 keytool -importcert -alias testalias -file export.crt -keystore testabc.jks -storepass password -v -rfc
10。 jar cvf custom.jar testabc.jks
11。 jarsigner -keystore ./custom.jks -verbose -keypass password -storepass password custom.jar testalias

备注：

1：我创建的jar文件确实需要命名为custom.jar。如果它不是那么它会产生错误＆＃34; JNLP文件中的JAR资源没有被相同的证书签署＆＃34;。
2：我使用以下步骤创建了根和中间签名：https：//jamielinux.com/docs/openssl-certificate-authority/（感谢Jamie！）
3：我的openssl.cnf是以下内容的一部分：https：//jamielinux.com/docs/openssl-certificate-authority/_downloads/intermediate-config.txt
4：我的openssl.cnf与NOTE3中链接的不同之处在于：
一个。 dir指向不同的目录
湾我删除了policy_strict，v3_intermediate_ca，usr_cert crl_ext和ocsp部分
℃。更改了req_distinguished name部分中的默认值。
d。从v3_ca basicConstraints和keyUsage部分删除了关键 - 虽然问题出现在此之前。
即从server_cert keyUsage部分删除了crtical

使用这些步骤我会收到标题中提到的错误：

1。 keytool -genkeypair -keystore custom.jks -storepass password -keyalg RSA -keysize 2048 -keypass password -alias testalias
2。 keytool -certreq -keystore custom.jks -storepass password -alias testalias -keypass password -file myserver.csr
3。 openssl ca -config /home/user/ca/intermediate/openssl.cnf.BeforeModifyingForCSRs -extensions server_cert -days 365 -notext -md sha256 -out /home/user/ca/intermediate/certs/myserver.cert.pem -infiles myserver .csr文件
4。 keytool -importcert -alias rootca -file /home/user/ca/certs/ca.cert.pem -keystore custom.jks -v -rfc -storepass password
5。 keytool -importcert -alias intermediateca -file /home/user/ca/intermediate/certs/intermediate.cert.pem -keystore custom.jks -v -rfc -storepass password
6。 keytool -importcert -alias testalias -file /home/user/ca/intermediate/certs/myserver.cert.pem -keystore custom.jks -v -rfc -storepass password
7。 keytool -exportcert -alias testalias -file export.crt -keystore custom.jks -storepass password
8。 keytool -importcert -alias testalias -file export.crt -keystore testabc.jks -storepass password -v -rfc
9。 jar cvf custom.jar testabc.jks
10。 jarsigner -keystore ./custom.jks -verbose -keypass password -storepass password custom.jar testalias

密钥库的密钥工具输出和带有问题的别名 ：

Enter keystore password:  
Alias name: testalias  
Creation date: Oct 12, 2016  
Entry type: PrivateKeyEntry  
Certificate chain length: 3  
Certificate[1]:  
Owner: CN=myserver, OU=CA, O=CA, L=CA, ST=CA, C=CA  
Issuer: EMAILADDRESS=mycertadmin@myorg.com, CN=intermediateca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US  
Serial number: 1044  
Valid from: Wed Oct 12 12:16:00 EDT 2016 until: Thu Oct 12 12:16:00 EDT 2017  
Certificate fingerprints:  
        MD5:  EE:26:A8:D3:6A:21:27:01:F1:98:A2:12:91:CB:7D:FE  
        SHA1: E0:2E:A1:38:DE:A6:C8:53:AF:C2:A1:25:73:F3:AB:3A:A7:19:ED:6C  
        SHA256: A4:12:4A:7A:65:A5:A7:42:36:DC:86:54:D8:6C:50:42:9B:45:40:6F:C3:99:F9:64:D8:DA:F7:B3:B2:2A:DD:0E  
        Signature algorithm name: SHA256withRSA  
        Version: 3  

Extensions:  
#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false  
0000: 16 24 4F 70 65 6E 53 53   4C 20 47 65 6E 65 72 61  .$OpenSSL Genera  
0010: 74 65 64 20 53 65 72 76   65 72 20 43 65 72 74 69  ted Server Certi  
0020: 66 69 63 61 74 65                                  ficate  


#2: ObjectId: 2.5.29.35 Criticality=false  
AuthorityKeyIdentifier [  
KeyIdentifier [  
0000: EA 08 F0 F6 CC 10 32 7B   A9 A1 93 7A A3 82 A0 11  ......2....z....  
0010: AC 13 03 D2                                        ....  
]  
[EMAILADDRESS=mycertadmin@myorg.com, CN=rootca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US]  
SerialNumber: [    1000]  
]  

#3: ObjectId: 2.5.29.19 Criticality=false  
BasicConstraints:[  
  CA:false  
  PathLen: undefined  
]  

#4: ObjectId: 2.5.29.37 Criticality=false  
ExtendedKeyUsages [  
  serverAuth  
]  

#5: ObjectId: 2.5.29.15 Criticality=true  
KeyUsage [  
  DigitalSignature  
  Key_Encipherment  
]  

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false  
NetscapeCertType [  
   SSL server  
]  

#7: ObjectId: 2.5.29.14 Criticality=false  
SubjectKeyIdentifier [  
KeyIdentifier [  
0000: 8E 89 8C 3A 9C 41 B3 9E   F6 A8 C1 F6 DD 30 9B 12  ...:.A.......0..  
0010: FA 0C 29 90                                        ..).  
]  
]  

Certificate[2]:  
Owner: EMAILADDRESS=mycertadmin@myorg.com, CN=intermediateca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US  
Issuer: EMAILADDRESS=mycertadmin@myorg.com, CN=rootca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US  
Serial number: 1000  
Valid from: Thu Mar 17 15:44:38 EDT 2016 until: Sun Mar 15 15:44:38 EDT 2026  
Certificate fingerprints:  
         MD5:  E8:B8:A9:F9:57:99:CB:AD:EC:33:D7:93:41:3C:BF:C5  
         SHA1: BA:E4:7A:3C:F9:3C:40:4A:ED:31:69:84:F1:FC:48:BF:A2:46:C6:64  
         SHA256: A4:79:DB:0E:34:CE:EE:32:AC:4D:59:96:97:22:7F:EA:D3:B5:54:9E:07:AF:DB:5D:FE:C4:7F:C0:2A:10:3B:AA  
         Signature algorithm name: SHA256withRSA  
         Version: 3  

Extensions:   

#1: ObjectId: 2.5.29.35 Criticality=false  
AuthorityKeyIdentifier [  
KeyIdentifier [  
0000: BE 53 42 23 BD 7C 92 61   20 DF 9D 6A CE EA 90 85  .SB#...a ..j....  
0010: 6D 46 60 02                                        mF`.  
]  
]  

#2: ObjectId: 2.5.29.19 Criticality=true  
BasicConstraints:[  
  CA:true  
  PathLen:0  
]  

#3: ObjectId: 2.5.29.15 Criticality=true  
KeyUsage [  
  DigitalSignature  
  Key_CertSign  
  Crl_Sign  
]  

#4: ObjectId: 2.5.29.14 Criticality=false  
SubjectKeyIdentifier [  
KeyIdentifier [  
0000: EA 08 F0 F6 CC 10 32 7B   A9 A1 93 7A A3 82 A0 11  ......2....z....  
0010: AC 13 03 D2                                        ....  
]  
]  

Certificate[3]:  
Owner: EMAILADDRESS=mycertadmin@myorg.com, CN=rootca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US  
Issuer: EMAILADDRESS=mycertadmin@myorg.com, CN=rootca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US  
Serial number: cd02b56d83aaa294  
Valid from: Thu Mar 17 15:43:27 EDT 2016 until: Wed Mar 12 15:43:27 EDT 2036  
Certificate fingerprints:  
         MD5:  02:FD:FC:8A:C9:BC:0C:DE:0F:E2:41:D7:7A:7D:BE:78  
         SHA1: EC:F0:F5:C4:24:0A:E0:C1:4F:2F:C0:82:20:09:86:31:4D:7A:D3:A2  
         SHA256: 0E:3B:64:DA:11:A7:D9:43:3A:01:01:79:C4:5F:12:DF:9A:87:85:10:37:6D:B9:CF:DB:EE:7B:57:5F:50:E8:E0  
         Signature algorithm name: SHA256withRSA  
         Version: 3  

Extensions:   

#1: ObjectId: 2.5.29.35 Criticality=false  
AuthorityKeyIdentifier [  
KeyIdentifier [  
0000: BE 53 42 23 BD 7C 92 61   20 DF 9D 6A CE EA 90 85  .SB#...a ..j....  
0010: 6D 46 60 02                                        mF`.  
]  
]  

#2: ObjectId: 2.5.29.19 Criticality=true  
BasicConstraints:[  
  CA:true  
  PathLen:2147483647  
]  

#3: ObjectId: 2.5.29.15 Criticality=true  
KeyUsage [  
  DigitalSignature  
  Key_CertSign  
  Crl_Sign  
]  

#4: ObjectId: 2.5.29.14 Criticality=false  
SubjectKeyIdentifier [  
KeyIdentifier [  
0000: BE 53 42 23 BD 7C 92 61   20 DF 9D 6A CE EA 90 85  .SB#...a ..j....  
0010: 6D 46 60 02                                        mF`.  
]  
]  

密钥库的密钥工具输出和别名没有问题：

Enter keystore password:  
Alias name: testalias
Creation date: Oct 12, 2016
Entry type: trustedCertEntry

Owner: EMAILADDRESS=myuser@myorg.com, CN=myserver, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US
Issuer: EMAILADDRESS=mycertadmin@myorg.com, CN=intermediateca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US
Serial number: 1042
Valid from: Wed Oct 12 10:57:01 EDT 2016 until: Thu Oct 12 10:57:01 EDT 2017
Certificate fingerprints:
         MD5:  40:D0:69:90:87:41:88:33:92:EE:4F:E7:74:1F:F2:C8
         SHA1: 41:BC:5F:14:D1:89:40:3E:BA:B8:CF:D0:07:1A:74:54:EB:C0:8C:F4
         SHA256: F8:4F:74:B6:CD:2B:12:52:0C:78:96:A8:18:90:11:30:9D:E5:10:6B:FE:F8:7A:B9:A4:E5:9E:20:BF:E2:A7:A2
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 24 4F 70 65 6E 53 53   4C 20 47 65 6E 65 72 61  .$OpenSSL Genera
0010: 74 65 64 20 53 65 72 76   65 72 20 43 65 72 74 69  ted Server Certi
0020: 66 69 63 61 74 65                                  ficate


#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EA 08 F0 F6 CC 10 32 7B   A9 A1 93 7A A3 82 A0 11  ......2....z....
0010: AC 13 03 D2                                        ....
]
[EMAILADDRESS=mycertadmin@myorg.com, CN=rootca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US]
SerialNumber: [    1000]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#5: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL server
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C3 3A D6 16 1D 2F D4 B9   2E FD E7 8E 97 32 D3 0A  .:.../.......2..
0010: 5B 13 4E B7                                        [.N.
]
]

jarsigner -verify输出jar文件没有问题： jarsigner -verify -verbose -keystore custom.jks -certs custom.jar testalias

s k      151 Wed Oct 12 12:48:00 EDT 2016 META-INF/MANIFEST.MF

      X.509, EMAILADDRESS=myuser@myorg.com, CN=myserver, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US (testalias)
      [certificate is valid from 10/12/16 12:47 PM to 10/12/17 12:47 PM]
      [ExtendedKeyUsage, NetscapeCertType extension does not support code signing]

         313 Wed Oct 12 12:48:00 EDT 2016 META-INF/TESTALIA.SF
        1972 Wed Oct 12 12:48:00 EDT 2016 META-INF/TESTALIA.RSA
           0 Wed Oct 12 12:48:00 EDT 2016 META-INF/
smk     1545 Wed Oct 12 12:48:00 EDT 2016 testabc.jks

      X.509, EMAILADDRESS=myuser@myorg.com, CN=myserver, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US (testalias)
      [certificate is valid from 10/12/16 12:47 PM to 10/12/17 12:47 PM]
      [ExtendedKeyUsage, NetscapeCertType extension does not support code signing]


  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  X = not signed by specified alias(es)

jar verified.

Warning: 
This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.
This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2017-10-12) or after any future revocation date.

jarsigner -verify输出jar文件有问题： jarsigner -verify -verbose -keystore custom.jks -certs custom.jar testalias

s k      151 Wed Oct 12 12:16:36 EDT 2016 META-INF/MANIFEST.MF

      X.509, CN=myserver, OU=CA, O=CA, L=CA, ST=CA, C=CA (testalias)
      [certificate is valid from 10/12/16 12:16 PM to 10/12/17 12:16 PM]
      [ExtendedKeyUsage, NetscapeCertType extension does not support code signing]
      X.509, EMAILADDRESS=mycertadmin@myorg.com, CN=intermediateca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US (intermediateca)
      [certificate is valid from 3/17/16 3:44 PM to 3/15/26 3:44 PM]
      X.509, EMAILADDRESS=mycertadmin@myorg.com, CN=rootca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US (rootca)
      [certificate is valid from 3/17/16 3:43 PM to 3/12/36 3:43 PM]

         313 Wed Oct 12 12:16:36 EDT 2016 META-INF/TESTALIA.SF
        4976 Wed Oct 12 12:16:36 EDT 2016 META-INF/TESTALIA.RSA
           0 Wed Oct 12 12:16:36 EDT 2016 META-INF/
smk     1509 Wed Oct 12 12:16:36 EDT 2016 testabc.jks

      X.509, CN=myserver, OU=CA, O=CA, L=CA, ST=CA, C=CA (testalias)
      [certificate is valid from 10/12/16 12:16 PM to 10/12/17 12:16 PM]
      [ExtendedKeyUsage, NetscapeCertType extension does not support code signing]
      X.509, EMAILADDRESS=mycertadmin@myorg.com, CN=intermediateca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US (intermediateca)
      [certificate is valid from 3/17/16 3:44 PM to 3/15/26 3:44 PM]
      X.509, EMAILADDRESS=mycertadmin@myorg.com, CN=rootca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US (rootca)
      [certificate is valid from 3/17/16 3:43 PM to 3/12/36 3:43 PM]


  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  X = not signed by specified alias(es)

jar verified.

Warning: 
This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.
This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2017-10-12) or after any future revocation date.

我得出上述两个结论的方法是基于一组略有修改的有问题的步骤，这些步骤允许jnlp没有错误。以下是这些步骤：

1。 keytool -genkeypair -keystore custom.jks -storepass password -keyalg RSA -keysize 2048 -keypass password -alias testalias
2。 keytool -certreq -keystore custom.jks -storepass password -alias testalias -keypass password -file myserver.csr
3。 openssl ca -config /home/user/ca/intermediate/openssl.cnf -extensions server_cert -days 365 -notext -md sha256 -out /home/user/ca/intermediate/certs/myserver.cert.pem -infiles myserver.csr
4。 keytool -importcert -alias rootca -file /home/user/ca/certs/ca.cert.pem -keystore custom.jks -v -rfc -storepass password
5。 keytool -importcert -alias intermediateca -file /home/user/ca/intermediate/certs/intermediate.cert.pem -keystore custom.jks -v -rfc -storepass password
6。 keytool -importcert -alias testalias -file /home/user/ca/intermediate/certs/myserver.cert.pem -keystore custom.jks -v -rfc -storepass password

**偏离开始**

7。 keytool -importkeystore -alias testalias -srckeystore custom.jks -destkeystore custom.p12 -deststoretype pkcs12 -srcstorepass password -deststorepass password -srcalias testalias -destalias testalias
8。 openssl pkcs12 -in custom.p12 -out custom.pem -nodes -password pass：password
9。手动删除rootca和intermediateca的证书
10。 openssl pkcs12 -export -in custom.pem -inkey custom.pem -out custom2.p12 -name testalias -password pass：password -passin pass：password
11。 keytool -importkeystore -srckeystore custom2.p12 -srcstoretype PKCS12 -destkeystore custom2.jks -deststoretype JKS -srcstorepass password -deststorepass password
12。 keytool -importcert -alias rootca -file /home/user/ca/certs/ca.cert.pem -keystore custom2.jks -v -rfc -storepass password
13。 keytool -importcert -alias intermediateca -file /home/user/ca/intermediate/certs/intermediate.cert.pem -keystore custom2.jks -v -rfc -storepass password

**偏离结束**

14。 keytool -exportcert -alias testalias -file export.crt -keystore custom2.jks -storepass密码
15。 keytool -importcert -alias testalias -file export.crt -keystore testabc.jks -storepass password -v -rfc
16。 jar cvf custom.jar testabc.jks
17。 jarsigner -keystore ./custom2.jks -verbose -keypass password -storepass password custom.jar testalias

这个最近的custom2.jks文件没有问题的keytool -list输出： keytool -list -v -alias testalias -keystore custom2.jks

Enter keystore password:  
Alias name: testalias
Creation date: Oct 12, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=myserver, OU=CA, O=CA, L=CA, ST=CA, C=CA
Issuer: EMAILADDRESS=mycertadmin@myorg.com, CN=intermediateca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US
Serial number: 1047
Valid from: Wed Oct 12 14:33:32 EDT 2016 until: Thu Oct 12 14:33:32 EDT 2017
Certificate fingerprints:
         MD5:  00:88:00:E1:E4:C2:32:67:A2:0B:20:6E:1D:B8:60:FF
         SHA1: 4A:A4:05:CE:56:8C:32:48:AC:0B:1C:72:29:D7:28:F4:1C:C7:87:DA
         SHA256: 80:6A:35:52:8D:EC:90:FD:6F:42:02:8C:02:4D:85:C7:EE:FD:E1:47:64:CE:D4:4B:7E:F7:9F:8B:68:68:0D:21
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 24 4F 70 65 6E 53 53   4C 20 47 65 6E 65 72 61  .$OpenSSL Genera
0010: 74 65 64 20 53 65 72 76   65 72 20 43 65 72 74 69  ted Server Certi
0020: 66 69 63 61 74 65                                  ficate


#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EA 08 F0 F6 CC 10 32 7B   A9 A1 93 7A A3 82 A0 11  ......2....z....
0010: AC 13 03 D2                                        ....
]
[EMAILADDRESS=mycertadmin@myorg.com, CN=rootca, OU=MYOU, O=MYORG, L=LOC, ST=ST, C=US]
SerialNumber: [    1000]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

#5: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#6: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL server
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8F 68 EC C9 3F 62 27 34   47 D4 AB FE 61 31 67 57  .h..?b'4G...a1gW
0010: DF 4A B8 7C                                        .J..
]
]  

jarsigner -verify这个最近的jar文件的输出没有问题： jarsigner -verify -verbose -keystore custom2.jks -certs custom.jar testalias

s k      151 Wed Oct 12 14:34:38 EDT 2016 META-INF/MANIFEST.MF                                                                                                                                                                                                                 

      X.509, CN=myserver, OU=CA, O=CA, L=CA, ST=CA, C=CA (testalias)
      [certificate is valid from 10/12/16 2:33 PM to 10/12/17 2:33 PM]
      [ExtendedKeyUsage, NetscapeCertType extension does not support code signing]

         313 Wed Oct 12 14:34:38 EDT 2016 META-INF/TESTALIA.SF
        1933 Wed Oct 12 14:34:38 EDT 2016 META-INF/TESTALIA.RSA
           0 Wed Oct 12 14:34:38 EDT 2016 META-INF/
smk     1506 Wed Oct 12 14:34:38 EDT 2016 testabc.jks

      X.509, CN=myserver, OU=CA, O=CA, L=CA, ST=CA, C=CA (testalias)
      [certificate is valid from 10/12/16 2:33 PM to 10/12/17 2:33 PM]
      [ExtendedKeyUsage, NetscapeCertType extension does not support code signing]


  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  X = not signed by specified alias(es)

jar verified.

Warning: 
This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.
This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2017-10-12) or after any future revocation date.