Ask a Question

Advanced Search

Solution ID : SO1379

Last Modified : 05/02/2018

Error: "java.lang.Exception: Input not an X.509 certificate" when installing a Certificate using Keytool

Error Message

Keytool error: java.lang.Exception: Failed to establish chain from reply

Keytool error: java.lang.Exception: Input not an X.509 certificate


This error message occurs for one of the following reasons:

  • The Keystore and or Alias name specified during the certificate import is incorrect.
  • The version of keytool is very particular about the format of the certificate that is being imported


In order to resolve this error, perform the following steps:

Method 1:  Incorrect Keystore or Alias name

During the private key and public key (Certificate Signing Request) generation, a Keystore name and Alias name is specified. To import the certificate successfully, the exact same Keystore Name and Alias name must also be specified.
In the following example syntax Training is set as the alias while generating the key:

Keytool -genkey -alias Training -keyalg RSA -keystore C:\java_training\training.keystore (Creates a keystore called training.keystore and a alias called Training)

To determine the alias used by the private key in the keystore, use the following command:

keytool -list <keystore_file_name>

Method 2:  Incorrectly formatted certificate

Download the certificate in standard format and copy it to notepad including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. save it as cert.cer.

Note: Keep the five dashes before and after the 'Begin' and 'End' line statements.

  1. Import the certificate file into Internet Explorer. Open Internet Explorer
  2. Click Tools > Internet Options > Content > Certificates
  3. The Internet Explorer certificate store should open and default to the Personal tab
  4. Click import
  5. The Certificate Wizard should open. Click Next
  6. Click Browse and locate where you have the certificate file saved
  7. Select the file and click Open
  8. Click Next to continue in the wizard
  9. Click Next
  10. Click Finish. The certificate should now be imported into Internet Explorer.
  11. With the Internet Explorer certificate store still open, locate the certificate in the Personal store.
  12. Select the entry and click Export
  13. The wizard will open. Click Next
  14. Select the radio button next to DER encoded Binary X.509 (CER)
  15. Click Next
  16. Click Browse and select the location where you want to save the file (i.e. Desktop)
  17. Provide a file name and click Save
  18. Click Next
  19. Click Finish

Try to import this DER encoded certificate file into the keystore.