Lumension® KnowledgeBase

Article Number:

Date Created:

Last Updated:

Article Type:

Importing a Certificate results in Keytool Error (X.509 Certificate)



Patch and Remediation


Lumension Patch and Remediation Agent
Java 2 Platform, Enterprise Edition (J2EE) 1.2.2 platform and later
Microsoft Certificate Authority (CA)


This article describes a Keytool Error that can occur in certain circumstances and how to resolve the error.



A keytool error occurs when attempting to import certificate. The error syntax is:

keytool error: Input not an X.509 certificate

This can occur as you attempt to import a root path certificate to a J2EE environment using the class keystore and a cacerts file to establish trust with the Web certificate authority.


  • Class Keystore (KeyStore.TrustedCertificateEntry). Contains a single public key certificate belonging to another party.
  • File Cacerts. A certificates file that represents a system-wide keystore with CA certificates and contains root CA certificates from several public CAs.
  • Source: Sun Developer Network 


This error results from Java expecting the certificate to be available in base-64 encoded X.509 format while the default encoding from the Microsoft certificate authority for the certificate is DER binary.


To resolve this issue, you must convert the root path certificate into base-64 encoded X.509 format. This involves creating an SSL request file through the Internet Services Manager.

To Convert a Certificate

  1. In the Administrative Tools, click Internet Services Manager.
  2. In the IIS Manager, select and expand the listed Web sites.
  3. Select PLUS and right-click. In the shortcut menu, click Properties.
  4. In the Properties dialog box, click Directory Security.
  5. Click Server Certificate.
  6. In the Certificate Wizard, select Create a new certificate and click Next.
  7. Select Prepare the request now, but send it later and click Next.
  8. Continue to complete the requested fields within the Certificate Wizard.
  9. In the Certificate Request File Name dialog box, save the request file to a folder on the local machine and click Next.
  10. On the local machine, open the certreq.txt in a text editor. Do not exit or close the Wizard at this point.
  11. Copy the contents of the certreq.txt file and paste into the Saved Request text box in the Wizard Certificate Server Request dialog box. You can also insert the entire file.
  12. In the Wizard Certificate Server Request dialog box, click Submit.
  13. Download the certificate response file and name the file certnew.cer.
  14. Download the certificate chain of root path certificate and name it certnew.p7b.
  15. In the Internet Services Manager, open (double-click) the certnew.p7b root chain.
  16. Select the certificate chain and right-click. In the shortcut menu, click Certifcate Export Wizard.
  17. In the Certificate Export Wizard, click Next.
  18. Select Base-64 encoded X.509 (.CER) and click Next.
  19. Rename the certificate to rootcert.cer and save it as Base-64 encoded X.509 format.
  20. Import the new certificate into the Java Keystore using the command:
    • keytool import keystore /path to cacerts alias nameofalias file certname
  21. Import the certnew.cer or the webcert in the same manner using a separate alias.

Current rating: 1.8