cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - If community subscription notifications are filling up your inbox you can set up a daily digest and get all your notifications in a single email. X

keytool error: java.lang.Exception: Input not an X.509 certificate

mikefinch87
12-Amethyst

keytool error: java.lang.Exception: Input not an X.509 certificate

I am following the instructions here:

https://developer.thingworx.com/en/resources/guides/foundation-linux-install-guide/foundation-linux-create-ssl

 

Using JDK 1.8_131and Ubuntu 18.04 LTS

 

I keep getting the error above.  I found this article, https://www.ptc.com/en/support/article?n=CS147810, but it requires a maintenance subscription.  

ACCEPTED SOLUTION

Accepted Solutions

The second version is correct. Since you are on Linux, it backslashes are interpreted as escape sequences instead of path delimiters, so the filename becomes incorrect and keytool cannot find it, giving this cryptic error message.

 

Then, keytool -import asks you for the destination store password, which is cacerts in this case, which is part of the JRE. The default password is changeit, please try it.

 

Finally, try to export your certificate from the JKS first, i.e.:

keytool -export -alias tomcat9 -file certificate -keystore twkeystore.jks

...and use "certificate" as the filename for keytool -import.

 

/ Constantine

View solution in original post

4 REPLIES 4

Hello,

 

Can you provide the exact commands that you execute? Also make sure you execute it from JDK's bin directory. Ah, and you should probably replace the backslashes with the forward ones...

 

Regards,
Constantine

With \ slashes

root@thingworx-test:/usr/lib/jvm/jdk1.8.0_131/bin# keytool -import -alias tomcat9 -file "twkeystore.jks" -keystore "..\jre\lib\security\cacerts"
Enter keystore password:
Re-enter new password:
keytool error: java.lang.Exception: Input not an X.509 certificate
root@thingworx-test:/usr/lib/jvm/jdk1.8.0_131/bin#

With / slashes

root@thingworx-test:/usr/lib/jvm/jdk1.8.0_131/bin# keytool -import -alias tomcat9 -file "twkeystore.jks" -keystore "../jre/lib/security/cacerts"
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
root@thingworx-test:/usr/lib/jvm/jdk1.8.0_131/bin#

I looked at the CA certs using the help on digi and think java is right and the cacerts file is not an X.509 cert.

The second version is correct. Since you are on Linux, it backslashes are interpreted as escape sequences instead of path delimiters, so the filename becomes incorrect and keytool cannot find it, giving this cryptic error message.

 

Then, keytool -import asks you for the destination store password, which is cacerts in this case, which is part of the JRE. The default password is changeit, please try it.

 

Finally, try to export your certificate from the JKS first, i.e.:

keytool -export -alias tomcat9 -file certificate -keystore twkeystore.jks

...and use "certificate" as the filename for keytool -import.

 

/ Constantine

Thanks,

for the next person who comes here, `sudo` is required for the keytool export, or you get the Permission denied.

root@thingworx-test:/usr/lib/jvm/jdk1.8.0_131/bin$ keytool -export -alias tomcat9 -file certificate -keystore twkeystore.jks
Enter keystore password:
keytool error: java.io.FileNotFoundException: certificate (Permission denied)

Also importkeystore will work.

sudo keytool -importkeystore -srcalias tomcat9 -srckeystore twkeystore.jks -destkeystore "../jre/lib/security/cacerts"

Thanks,

is your documentation publically editable in a github, I can update it if that is possible. 

Announcements


Top Tags