Error: “keytool error: java.lang.Exception: Input not an X.509 certificate” installing a Symantec Sun Java PKCS #7 certificate format into keystore

Solution ID:    SO18659    Updated:    05/10/2016

Problem

Error occurs when importing a Symantec Sun Java PKCS #7 certificate format into keystore:

error: java.lang.Exception: Input not an X.509 certificate

Cause

This error occurs for three reasons:

  • Incorrect Alias used
  • Incorrect Keystore used
  • Incorrect Certificate used

Solution

To resolve this issue

Check :

  1. The original alias of the original keystore that was used to generate the Certificate Signing Request (CSR) must be used
  2. The original keystore used to generate the CSR must be used.
  3. The correct certificate must be downloaded.

The steps below contains information on installing all certificates as single files. Make sure that the correct order of Primary Intermediate, Secondary Intermediate and your End Entity certificate is used or the certificate's trust chain will not be installed correctly.

Step 1: Export Symantec Code Signing Certificate for Sun Java

  1. Save the Symantec Code Signing Certificate for Sun Java  on your Microsoft Windows computer as cert.p7b file
  2. Double click the cert.p7b file
  3. Expand Users folder by clicking on the arrow


     
  4. Click the Certificates sub folder


     
  5. Select the Code Signing Certificate for Sun Java, right click > All Tasks > Export


     
  6. Click Next


     
  7. Select the radio button for Base-64 encoded X.509 (.CER) > click Next


     
  8. Click Browse...


     
  9. Specify a file name for the Code Signing Certificate for Sun Java (e.g., sunjava.cer) you want to save on your computer, click Save
     

     
  10.  Click Next


     
  11.  Click Finish

 

Step 2: Export Code Signing Secondary Intermediate CA certificate
 

  1. Select the Code Signing Secondary Intermediate CA certificate as VeriSign Class 3 Code Signing 2010 CA , right click > All Tasks > Export


     
  2. Click Next


     
  3. Select the radio button for Base-64 encoded X.509 (.CER) > click Next


     
  4. Click Browse...


     
  5. Specify a file name for the Code Signing Secondary Intermediate CA certificate (e.g., secondaryintca.cer) you want to save on your computer, click Save


     
  6. Click Next



     
  7. Click Finish

 

Step 3: Export Code Signing Primary Intermediate CA certificate
 

  1.  Select the Code Signing Primary Intermediate CA certificate as VeriSign Class 3 Public Primary Certification Authority - G5, right click > All Tasks > Export


     
  2. Click Next


     
  3. Select the radio button for Base-64 encoded X.509 (.CER) > click Next


     
  4. Click Browse...


     
  5. Specify a file name for the Code Signing Primary Intermediate CA certificate (e.g., primaryintca.cer) you want to save on your computer, click Save


     
  6. Click Next


     
  7. Click Finish

 

Step 4: Install Code Signing Primary Intermediate CA  and Secondary Intermediate CA certificate into keystore

Note: The Primary & Secondary Intermediate CA certificate installation example below is based on Step 2 & 3

  1. Use the following command to import the Code Signing Primary Intermediate CA certificate into the keystore:

    keytool -import -trustcacerts -alias primaryintermediate -keystore keystore_name -file primaryintca.cer

    For example:


     
  2. Use the following command to import the Code Signing Secondary Intermediate CA certificate into the keystore:

    keytool -import -trustcacerts -alias secondaryintermediate -keystore keystore_name -file secondaryintca.cer

    For example:

 

Step 5: Install Code Signing Certificate for Sun Java into keystore

Note: The Code Signing Certificate for Sun Java installation example below is based on Step 1

  1. Use the following command to import the Code Signing Certificate for Sun Java into the keystore:

    keytool -import -trustcacerts -alias your_alias_name -keystore keystore_name -file sunjava.cer

    For example:
     
     

 

 Step 6: Confirm the contents of the keystore

  1. Enter the following command to list the contents of the keystore:

    keytool -list -v -keystore your_keystore_filename > output_filename

    For example:


     
  2. View the contents of the output file. The certificate chain length should be four.

    For example:


     
  3. To begin signing, refer to article INFO185

 

 




 

 


 

 

Disclaimer:

Terms of use for this information are found in Legal Notices

Contact Support

Find Answers