Skip to main content

keytool cannot import certificate chain

3 replies [Last post]
lmx
Offline
Joined: 2007-02-27

Hello!
I am trying to import this http://info.e-me.lv/lv/dokumenti/LPproductionchain2.p7b certificate chain into truststore using command
keytool -importcert -trustcacerts -file LPProductionchain2.pb7 -alias lp -keystore cacerts.jks -storepass changeit but I am getting error "keytool error: java.lang.Exception: Input not an X.509 certificate".
I am using java version "1.6.0_04" on windows

Am I missing something?
Thanks for reply

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jamieraut
Offline
Joined: 2008-02-21

Ran into the same problem on Java 5:

bash-3.00$ java -fullversion
java full version "1.5.0_02-b09"
bash-3.00$ keytool -import -alias my-root -file "C:\\path\\to\\cert\\chain.p7b" -trustcacerts -keystore cacerts -storepass changeit -v
keytool error: java.lang.Exception: Input not an X.509 certificate

Try converting the certificate chain from the Microsoft p7b format to PEM, then import. See this link from BEA:

http://edocs.bea.com/wls/docs92/secmanage/identity_trust.html#wp1196447

I ran the certificate export wizard on xp, concatenated the two certs in my chain:

bash-3.00$ cat top-cert.cer root-cert.cer > chain.cer

then imported:

bash-3.00$ keytool -import -alias my-root -file "C:\\path\\to\\cert\\chain.cer" -trustcacerts -keystore cacerts -storepass changeit -v
Owner: CN=XXXXXXXXX, OU=XXXXX, O=XXXXX, L=XXX, ST=XXX, C=XX
Issuer: CN=XXXXX Root CA, OU=XXX, O=XXXX, L=XXX, ST=XXX, C=XX
Serial number: XXXXXXXXXXXXXXX
Valid from: Fri Mar 25 07:38:01 PST 2007 until: Mon Jul 19 07:48:01 PST 2012
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Trust this certificate? [no]: yes
Certificate was added to keystore
[Storing cacerts]

Worked for me.

sfarmer81
Offline
Joined: 2008-08-04

Hi,

I followed these steps to import a certificate chain into the key store (concatenating two certs into one) and the import worked fine but I cannot retrieve a certificate chain for the alias. I can get the cert but chain is null. Where you able to access the entire chain through the key store in Java or did you have to build a cert trust chain by hand?

Cheers,
Shane

I> Ran into the same problem on Java 5:
>
> bash-3.00$ java -fullversion
> java full version "1.5.0_02-b09"
> bash-3.00$ keytool -import -alias my-root -file
> "C:\\path\\to\\cert\\chain.p7b" -trustcacerts
> -keystore cacerts -storepass changeit -v
> keytool error: java.lang.Exception: Input not an
> X.509 certificate
>
> Try converting the certificate chain from the
> Microsoft p7b format to PEM, then import. See this
> link from BEA:
>
>
> ttp://edocs.bea.com/wls/docs92/secmanage/identity_trus
> t.html#wp1196447
>
> I ran the certificate export wizard on xp,
> concatenated the two certs in my chain:
>
> bash-3.00$ cat top-cert.cer root-cert.cer >
> chain.cer
>
> then imported:
>
> bash-3.00$ keytool -import -alias my-root -file
> "C:\\path\\to\\cert\\chain.cer" -trustcacerts
> -keystore cacerts -storepass changeit -v
> Owner: CN=XXXXXXXXX, OU=XXXXX, O=XXXXX, L=XXX,
> ST=XXX, C=XX
> Issuer: CN=XXXXX Root CA, OU=XXX, O=XXXX, L=XXX,
> ST=XXX, C=XX
> Serial number: XXXXXXXXXXXXXXX
> Valid from: Fri Mar 25 07:38:01 PST 2007 until: Mon
> Jul 19 07:48:01 PST 2012
> Certificate fingerprints:
> MD5:
> XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
> SHA1:
> XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:
> XX:XX
> Trust this certificate? [no]: yes
> Certificate was added to keystore
> [Storing cacerts]
>
> Worked for me.

immilev
Offline
Joined: 2006-12-17

Yeah, it is a bit unintuitive, but you cannot import certificate chains *unless* they are associated with a private key (as in the CA's reply to the CSR). Check the docs on how to import to an existing key entry (need to specify its alias).

Ivaylo

PS

There are two types of entries- key entries and trusted cert entries, and only the key entry can contain a "chain" of certificates, attached to it. The trusted cert entries are all single cert entries.