Solved

java.lng.Exception: `Input not an X.509 certificate` when importing .pem certificate

Posted on 2016-07-21
4
150 Views
Last Modified: 2016-07-27
I have created a self-signed certificate with makecert, exported it with private key to .pfx file and imported on the server. Then I copied one on the client and tried importing it using keytool. Got an error `Input is not an X.509 certificate`.
So I converted .pfx  certificate to .pem using openssl and tried again - same result.

I did some research and found that I might need to convert it to .der, but it still might not work. Apparently keytool only supports single certificate PEM files. Even though mine is a single certificate, PEM file contains private key information:
    -----BEGIN PRIVATE KEY----
    -----END PRIVATE KEY------


    ----BEGIN CERTIFICATE-----
    ----END CERTIFICATE-------

Open in new window

So I am not sure what should be my next step to ensure import will work when done with keytool on the client.
Can anyone shed some light on this issue?
0
Comment
Question by:YZlat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 64

Expert Comment

by:btan
ID: 41724566
I suggest either you try the online conversion for the sake of testing since it is development key or use openssl
Convert a DER file (.crt .cer .der) to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem

•Convert a PEM file to DER openssl x509 -outform der -in certificate.pem -out certificate.der

•Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
https://www.sslshopper.com/article-most-common-openssl-commands.html
0
 
LVL 64

Expert Comment

by:btan
ID: 41724572
For clarity of PEM and DER which the latter is used for Java platform which is what you are looking at.
The PEM format is usually having extensions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.


The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms.
https://www.sslshopper.com/ssl-converter.html
0
 
LVL 35

Accepted Solution

by:
YZlat earned 0 total points
ID: 41724581
The solution was much simpler - I opened the file in text editor and deleted everything except the lines in between

----BEGIN CERTIFICATE-----
    ----END CERTIFICATE-------

the client machine should not have a private key. So after removing private key and other lines it worked with keytool
0
 
LVL 35

Author Closing Comment

by:YZlat
ID: 41730942
solved it myself
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question