During import, you might encounter the following error: Error: "java.lang.Exception: Input not an X.509 certificate."

Usually, this error occurs during the import of the end-entity certificate to the keystore.

keytool -import -trustcacerts -alias 'alias' -file certificate.crt [.p7b, .cer] -keystore 'your keystore'.jks

In this case, the points shown below should be double-checked:

• Make sure that the certificate is properly formatted. You can do that using nano 'certificate file'.crt, but make sure that the certificate is formatted like this:



Using PKCS#7, the file should be formatted like the example shown above as well, however the header and footer should be -----BEGIN PKCS7 ----- and -----END PKCS7 ----- . If the formatting is corrupted, use this tool to correct it. Once the code is pasted there, press “Decode” and copy whole code properly formatted. Save changes before exiting nano.


Once the formatting is corrected, retry the import.

If the import results in error again, check the below points.

• Alias of the certificate entry that should be imported. -alias flag should be filled with the alias of the keystore where CSR/RSA key/self-signed certificate triplet has been generated. To check the alias, run keytool -list -keystore 'your keystore'.jks -v

The needed alias will be displayed in Alias name section in the command shown above.



Once the correct alias is found, retry the import using the exact alias.

If the error persists, check the point below.

• The name of the keystore: Before importing, make sure that the keystore you are importing the certificate into is the correct one, and that it contains private key that matches CSR with which you have activated the certificate. You can check it by running keytool -list -keystore 'your keystore'.jks -v and checking Owner: section. There should be listed CN=.