Danie Roux

People person, change agent. Journeyer through problem and solution space. Interested in being interested.

Danie Roux header image 2

Input not an X.509 certificate

February 11th, 2007 · 9 Comments · general

For the benefit of anyone getting a “java.lang.Exception: Input not an X.509 certificate” when trying to import a signed certificate using keytool:

I was trying to import the certificate that Thawte signed for me into the Java based keystore. Currently my best guess is that keytool was written by an intern with way not enough coffee in his/her body. This is what I did first:

keytool -import -keystore keystore.production  -storepass pinky -file thawte.crt

The error returned to me was:

keytool error: java.lang.Exception: Input not an X.509 certificate

Right. I know its not. So what?

This error message wasted a possible precious 20 minutes of my life. To save someone some time, it turns out I forgot to specify the key alias! Very obvious from the exception, I know. This is correct:

keytool -import -keystore keystore.production  -storepass pinky -file thawte.crt -alias key-alias-in-store

Tags: ···

9 responses so far ↓

  • 1 J H // Mar 26, 2008 at 19:16

    I have also found that if there is space at the end of the Base-64 encoded data it will cause the same problem.

  • 2 Morten Simonsen // Jan 21, 2009 at 11:02

    Read a comment on Thawte on this issue, and it seems like keytool is very strict about format. If you have anything in your certificate before —–BEGIN CERTIFICATE—– or anyting after —–END CERTIFICATE—–, then it might very well be a problem. (Tested on JDK 1.5.0_17)

  • 3 W H // Jan 22, 2009 at 18:17

    Thanks! This was exactly my issue. You just made my day!

  • 4 danieroux // Jan 22, 2009 at 22:05


    Thank you for your input!

  • 5 DallasRat // Sep 11, 2009 at 18:04

    My p7b file contained the Signing cert and an Intermediate cert. Both had to be exported. see VeriSign Code Singing Support Article so11251. The p7b file had to be opened and each certificate exported to Base64. then the keytool took them (both Base64) without issue. Hope this helps someone.

  • 6 Giona // Nov 18, 2009 at 15:29

    Thank you a lot Danie.

    Why is everything having to do with Java always such a goddamn mess?

  • 7 Joey // Jan 12, 2010 at 20:59

    Thanks a lot! Going from Thawte’s documentation I thought I was supposed to import the certificate as a NEW alias, this article helped me figure out my mistake.

  • 8 keytool error: java.lang.Exception: Input not an X.509 certificate | frozen hamster // Mar 24, 2013 at 13:17

    [...] This error can have several causes. One such I’ve found is that if there are any garbage characters after the cert in the file, keytool will reject the file as “not an X.509 certificate” [...]

  • 9 raj // Jan 28, 2014 at 18:56

    I copied/pasted from the website and caught a space AFTER the

Leave a Comment