keytool error: java.lang.Exception: Input not an X.509 certificate

Question

I am trying to import Gmails smtp certificate for use with Jira, but I get this error when importing using Javas keytool.

I used openssl to get the certificate, everything between ----Begin Certificate---- and ----End Certificate---- (inclusive). I also attempted to create an x.509 certificate using Windows Certificate Manager, but still get this error. I have verified that there are no extra whitespaces in the file.

I have seen many people with this problem online, but none of the solutions seem to work for me. Any help would be appreciated.

Thanks

score 16 · Accepted Answer · answered Aug 10 '10 at 14:02

16

openssl x509 -outform der -in foo.pem -out foo.der

Then use the DER-encoded output certificate.

answered Aug 10 '10 at 14:02

Borealid

95,191
9
106
122

I was really hoping this would work, but I jut keep getting the same error. Here is what I'm doing exactly. openssl s_client -connect smtp.gmail.com:465 I copy that to a file called gmail.pem openssl x509 -outform der -in gmail.pem -out gmail.der keytool -import -file pathTo/gmail.der -keystore pathTo/cacerts – dbbooh01 Aug 10 '10 at 14:27
This actually did work, I forgot the argument -trustcacerts when using keytool. Thanks for the help – dbbooh01 Aug 10 '10 at 14:38
@dbbooh01 the reason this probably worked is because `-trustcacerts` imports the standard root CAs from the distributed cacerts file. This would include the root CAs that were in the trust chain for Gmail. – Alastair McCormack Feb 22 '13 at 21:53
@dbbooh01 : will you give me whole command you have entered. i have also write `x509 -outform der -in gmail.pem -out gmail.der` but it doesn't generate file gamil.der. where it generate file gmail.der ? – Java Curious ღ Sep 20 '13 at 09:21

score 5 · Answer 2 · edited Jan 29 '18 at 07:18

5

The answer is correct but be sure to INCLUDE the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in the copy/paste. This command will then work:

openssl x509 -outform der -in gmail.pem -out gmail.der

and then you do:

sudo keytool -import -file gmail.der -keystore $JAVA_HOME/jre/lib/security/cacerts -trustcacerts

edited Jan 29 '18 at 07:18

Subodh Joshi

12,717
29
108
202

answered Mar 06 '11 at 03:53

Robert Glover

51
1
1

Yepp, this was the cause of my problem too – Andrejs Sep 12 '12 at 14:31

score 2 · Answer 3 · answered Jul 23 '12 at 12:35

Unfortunately, openssl didn't work for me.

unable to load certificate 2740:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:./crypto/as n1/tasn_dec.c:1294: 2740:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:./ crypto/asn1/tasn_dec.c:380:Type=X509_CINF 2740:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e rror:./crypto/asn1/tasn_dec.c:749:Field=cert_info, Type=X509 2740:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:./crypto/pem/pem_oth .c:83:

Used this knowledge base and success followed.

https://knowledge.verisign.ch/support/code-signing-support/index?page=content&id=SO18659&actp=search&viewlocale=en_US&searchid=1343045026667

keytool error: java.lang.Exception: Input not an X.509 certificate

3 Answers3

Linked