CODEWITHSUNDEEP
androidsecurityssl-certificatebouncycastle
Sourav
Sourav

Reputation: 1224

How to verify X.509 certificate format?

I have an SSL certificate (a certificate chain starting from the root of the server) which seems to be Okay. I can open the certificate on windows & also import it using the windows wizard.

But when I try to convert it into a keystore through the following Command (using BouncyCastle) :

keytool -importcert -v -trustcacerts -file "test.crt" -alias ca -keystore "test.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-ext-jdk15on-1.46.jar" -storetype BKS -storepass testtest

I get the below error:

keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
        at sun.security.tools.KeyTool.addTrustedCert(Unknown Source)
        at sun.security.tools.KeyTool.doCommands(Unknown Source)
        at sun.security.tools.KeyTool.run(Unknown Source)
        at sun.security.tools.KeyTool.main(Unknown Source)

I'm developing an Android application where i need to call a REST based API through https.

Is there any web based tool (or otherwise) through I can validate the certificate ?

Upvotes: 6

Views: 12499

Answers (1)

kroot
kroot

Reputation: 2042

It appears your test.crt is not an X.509 format. Typically if it's a PEM-encoded X.509 certificate it will start with the line:

-----BEGIN CERTIFICATE-----
MII...

or

-----BEGIN TRUSTED CERTIFICATE-----
MII...

A DER-endcoded X.509 certificate will appear to be random binary data to you, but you can decode such DER-encoded files with the openssl command line:

openssl asn1parse -inform d -in test.crt -i

The beginning OID in the output will tell you if it's an X.509 certificate or something else like a PKCS#7 bag.

Upvotes: 9

Related Questions