keytool is Strict

Let’s say you are setting up a connection to an LDAP server and need to get your security bits in place.  To get the certificate chain from the server, you may do something like this:

openssl s_client -showcerts -connect > cert_chain.pem

Now with the output of that, you want to create or add to a keystore. That command looks like this:

keytool -import -storetype jks -keystore dir_example.jks -storepass dir-example -file cert_chain.pem -alias ldap-ca -noprompt

But, oh no! Java spits back,

keytool error: java.lang.Exception: Input not an X.509 certificate

Well, that sucks, but have no fear! The trick to clearing this up is quite easy. keytool is quite strict. The output from the openssl command above is far too verbose for keytool, so you’ll need to clean up any text outside of the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– markers in the file.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s