Java keytool error: java.lang.Exception: Input not an X.509 certificate

Question

To make a SSL connection with some server, whenever i run following command, followed by key-store default password "changeit" in windows to import the certificate in java keystore, following error occurred:

COMMAND :

keytool -import -file "E:\postgrescert\server.crt" -keypass changeit -keystore "C:\Java\JDK\jre\lib\security\cacerts" -alias pgssslninet

ERROR:

keytool error: java.lang.Exception: Input not an X.509 certificate

The server.crt is having below content:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a1:ea:8c:61:61:0a:7d:69
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/emailAddress=xyz.some@org.com
        Validity
            Not Before: Jun 14 23:59:25 2013 GMT
            Not After : Jul 14 23:59:25 2013 GMT
        Subject: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/emailAddress=xyz.some@org.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:7c:dd:6e:5f:98:85:52:b4:13:45:2d:69:26:
                    61:6c:d7:ad:d6:12:27:bf:e1:07:53:a4:76:27:29:
                    ca:3d:82:e5:63:8c:9e:a5:b0:24:f6:77:86:92:ab:
                    42:e5:26:8a:4a:ea:ea:4a:65:20:a1:3b:05:c7:e0:
                    31:8e:4c:6e:e5:9e:e4:9c:de:05:02:b3:59:70:00:
                    df:fb:b9:62:e1:5b:8e:1b:29:2d:7c:41:86:41:a9:
                    9e:24:f8:65:54:8c:cf:44:c4:7b:fa:12:b4:84:d1:
                    d7:d7:2f:14:32:f9:2e:7b:c2:d8:0b:35:c9:f5:8b:
                    64:ed:cf:84:6e:bf:97:d0:44:7b:6b:67:c6:5b:6f:
                    92:5d:f6:d7:01:b6:ba:96:37:c8:3b:f8:be:01:b5:
                    02:d1:6b:21:67:83:c8:fd:37:bd:70:e5:c1:e4:81:
                    b0:42:a9:04:b1:3d:33:4c:43:2b:33:cc:50:65:1e:
                    c0:15:8d:e3:5f:b0:9c:d9:04:09:18:e7:8f:80:56:
                    6f:45:1d:0a:c2:2d:02:7e:67:2a:8a:1b:73:4a:db:
                    80:e0:52:d6:33:23:c7:aa:48:b0:5c:ad:7f:8c:96:
                    7c:d4:84:61:4d:ae:d3:9c:ef:59:c1:bd:71:83:c3:
                    5e:a4:04:84:8f:cd:76:82:3a:86:43:ab:c1:f4:e9:
                    02:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7
            X509v3 Authority Key Identifier: 
                keyid:C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        6b:2f:5f:33:f8:bb:55:66:c3:48:c9:ae:64:c1:89:5b:e1:54:
        9a:bc:ae:34:87:7e:bc:e7:30:26:9e:65:58:42:79:19:e2:ee:
        93:2a:c7:2d:a9:45:b4:1c:7b:5f:5a:ec:12:e3:76:38:c5:44:
        aa:7f:bd:60:b6:a6:83:90:68:9d:8f:1c:7a:69:4a:58:a8:55:
        5a:36:9e:e3:69:76:50:0e:4c:30:54:11:4c:de:10:91:6f:aa:
        49:34:19:1c:96:cb:8a:6c:fd:df:19:ed:e1:84:2b:05:12:68:
        e6:af:c5:59:c2:61:ca:10:2c:8e:cc:0a:34:7e:08:e5:22:ac:
        01:fd:fc:4d:16:4f:66:29:58:ac:8e:25:79:3d:de:b6:ef:55:
        6e:26:c5:75:9d:6d:57:4e:02:89:b8:c1:b8:47:b7:09:9b:07:
        cf:5b:a3:bc:a3:6b:ef:a1:4c:95:a0:be:0f:d4:63:fe:35:c6:
        c6:42:10:0b:28:13:02:a3:6e:b3:bf:ae:57:a8:bd:a1:25:6a:
        2d:cd:c7:20:64:4b:2e:f2:b2:c9:5c:85:cf:6f:de:39:86:84:
        94:d3:01:c5:25:b7:ec:65:1b:5f:93:ec:9d:cc:81:fa:c7:34:
        fc:e4:e2:5c:3f:4b:cc:83:bb:f0:67:88:1f:f6:a1:3b:9e:00:
        7b:ba:b2:79
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJAKHqjGFhCn1pMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB0ZyZW1vbnQxEjAQBgNVBAoM
CURhdGFndWlzZTELMAkGA1UECwwCSVQxFDASBgNVBAMMC0NvbW1vbiBOYW1lMSgw
JgYJKoZIhvcNAQkBFhlzcmluaS5zdWJyYUBkYXRhZ3Vpc2UuY29tMB4XDTEzMDYx
NDIzNTkyNVoXDTEzMDcxNDIzNTkyNVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJDQTEQMA4GA1UEBwwHRnJlbW9udDESMBAGA1UECgwJRGF0YWd1aXNlMQswCQYD
VQQLDAJJVDEUMBIGA1UEAwwLQ29tbW9uIE5hbWUxKDAmBgkqhkiG9w0BCQEWGXNy
aW5pLnN1YnJhQGRhdGFndWlzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDefN1uX5iFUrQTRS1pJmFs163WEie/4QdTpHYnKco9guVjjJ6lsCT2
d4aSq0LlJopK6upKZSChOwXH4DGOTG7lnuSc3gUCs1lwAN/7uWLhW44bKS18QYZB
qZ4k+GVUjM9ExHv6ErSE0dfXLxQy+S57wtgLNcn1i2Ttz4Ruv5fQRHtrZ8Zbb5Jd
9tcBtrqWN8g7+L4BtQLRayFng8j9N71w5cHkgbBCqQSxPTNMQyszzFBlHsAVjeNf
sJzZBAkY54+AVm9FHQrCLQJ+ZyqKG3NK24DgUtYzI8eqSLBcrX+MlnzUhGFNrtOc
71nBvXGDw16kBISPzXaCOoZDq8H06QLVAgMBAAGjUDBOMB0GA1UdDgQWBBTBT/ou
j/M2/q6bEnPHCMlZllNxpzAfBgNVHSMEGDAWgBTBT/ouj/M2/q6bEnPHCMlZllNx
pzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBrL18z+LtVZsNIya5k
wYlb4VSavK40h3685zAmnmVYQnkZ4u6TKsctqUW0HHtfWuwS43Y4xUSqf71gtqaD
kGidjxx6aUpYqFVaNp7jaXZQDkwwVBFM3hCRb6pJNBkclsuKbP3fGe3hhCsFEmjm
r8VZwmHKECyOzAo0fgjlIqwB/fxNFk9mKVisjiV5Pd6271VuJsV1nW1XTgKJuMG4
R7cJmwfPW6O8o2vvoUyVoL4P1GP+NcbGQhALKBMCo26zv65XqL2hJWotzccgZEsu
8rLJXIXPb945hoSU0wHFJbfsZRtfk+ydzIH6xzT85OJcP0vMg7vwZ4gf9qE7ngB7
urJ5
-----END CERTIFICATE-----

Can anyone help me to locate the exact issue behind this error.

PS : When i removed every thing above -----BEGIN CERTIFICATE-----, it get successfully imported. Does the information above -----BEGIN CERTIFICATE----- is really required. Please help.

Regards,

Arun

Answer 1

Same problem here. I just added an empty line at the end and keytool was happy.

Answer 2

Can anyone help me to locate the exact issue behind this error.

Keytool can handle two formats. One is ASN.1/DER encoding, which looks like binary data under a hex editor. The other is RFC 1421, Certificate Encoding Standard, which is a Base64 encoding of the certificate. See the docs on the Keytool at the Solaris site.

When i removed every thing above -----BEGIN CERTIFICATE-----, it get successfully imported. Does the information above -----BEGIN CERTIFICATE----- is really required.

The format you describe above is Internet RFC 1421 Certificate Encoding Standard. Keytool should be able to handle the format. The manual clearly states that format is allowed:

Certificates are often stored using the printable encoding format defined by the Internet RFC 1421 standard, instead of their binary encoding. This certificate format, also known as "Base 64 encoding", facilitates exporting certificates to other applications by email or through some other mechanism. ...

Certificates read by the -import and -printcert commands can be in either this format or binary encoded.

In the above, the "this format" is RFC 1421. The "binary encoded" is ASN.1/DER.

---

With that said, the certificate looks like a client certificate since it has a PKCS#9 email address in the Common Name, and it does not have a DNS name (like example.com). Yet is also has a Basic Constraint of CA=TRUE.

Placing email addresses and DNS names in the Common Name field is deprecated by both the IETF and CA/B Forums. Those names should be placed in Subject Alternate Name field. Use the Common Name for a friendly name or a display name like "John Doe" or "Datametrics".

Java also seems to follow the IETF standards closer than most others (others meaning tools and libraries; and not standards). But the RFCs tend to run fast and loose, and I don't recall the PKCS#9 email address/CA=TRUE flag being prohibited.

That issue may affect its import-ability. Bruno or EJP would probably know for certain.