How to resolve keytool error: java.lang.Exception: Input not an X.509 certificate

I get the public cert from secure URL as below:

openssl s_client -showcerts -verify 5 -connect < /dev/null | openssl x509 -pubkey -noout>/home/app/portalpublic.crt

and then add the public cert to trust store using the below command:

keytool -import -alias portalpubliccert -file /home/app/portalpublic.crt -storetype JKS -keystore cacerts

However, i get the below error in doing so:

Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate

Can you please suggest how can i fix this issue ?

cat -ev /home/app/portalpublic.crt

-----END PUBLIC KEY-----$

1 answer

  • answered 2020-09-14 08:37 dave_thompson_085

    Meta: this is not a programming or development problem, issue or question, and nowadays is likely to be closed. It would probably be suitable on security.SX or superuser.

    I get the public cert from secure URL as below:

    openssl s_client ... | openssl x509 -pubkey ...

    NO YOU DIDN'T. You got the public key not the cert. The publickey is only a publickey and is not a cert, and a cert is not just a publickey although a cert (of the type here) contains a publickey. Also, you didn't get it 'from a URL'. You got it from a domain name, or more exactly from the host at or apparently at a domain name. A domain name is not a URL; some URLs (not all!) contain a domain name, but they are different things.

    keytool -import ... -file ...

    keytool -import[cert] requires a certificate. A publickey is not a certificate. That's why the error message says the input is not a certificate -- because it isn't.

    A Java keystore can store a certificate, specifically an X.509/PKIX-type certificate, as a trustedCertEntry, but it cannot store a bare publickey. If you want to store a certificate from the given URL in a keystore, get and then import the certificate -- NOT the publickey. If for some reason you want to store only the publickey, which is basically useless if it's not linked to the other information in the certificate, don't use a Java keystore and don't use keytool.