Fix keytool Error: Input not an X.509 certificate

Fix keytool Input not an X.509 certificate by importing valid PEM, DER, or supported certificate-chain input instead of HTML, private keys, PFX files, or malformed PEM.

Published

Updated

Read time 9 min read

Reviewed byDeepak Prasad

Fix keytool Input not an X.509 certificate banner with PEM certificate file

You run keytool -importcert, keytool -printcert, or a vendor script that wraps keytool — and it stops with Input not an X.509 certificate. The keystore password is fine; keytool rejects the file before it can create a trustedCertEntry or process a certificate reply.

Use the table below to jump to the cause that fits your file. Each section explains what went wrong and how to fix it. For importing identity material (cert plus private key), see Import PEM private key into Java keystore instead of forcing -importcert.

Tested on: Ubuntu 26.04 LTS; OpenJDK 25.0.3; kernel 7.0.0-27-generic.


Prerequisites


What the error actually means

keytool -importcert -file PATH and keytool -printcert -file PATH expect parseable certificate data: a PEM/DER X.509 certificate, or in certificate-reply workflows, a valid certificate chain such as PKCS#7 or a sequence of X.509 certificates.

For most truststore imports, keep one certificate per alias. If the file starts with HTML, a private key block, broken PEM text, or a PKCS12/PFX binary, keytool cannot parse it as certificate input and reports:

text
keytool error: java.lang.Exception: Input not an X.509 certificate

This is a format problem at parse time — not a wrong keystore password (keystore tampered guide), not a CSR alias mismatch (public keys mismatch), and not a missing CA chain (chain from reply).


Quick pre-check

Before importing, identify the file — the same PEM and DER checks as view a certificate with OpenSSL:

bash
file certificate-file
head -5 certificate-file
keytool -printcert -file certificate-file
openssl x509 -in certificate-file -noout -subject -issuer

Use the result:

Result Meaning
BEGIN CERTIFICATE PEM certificate
BEGIN PRIVATE KEY Private key, not for -importcert
<html> Downloaded page, not certificate
.p12 / .pfx / binary data Use -importkeystore or extract the public cert
keytool -printcert works Certificate input is parseable

For DER/binary .cer files, add -inform DER to the openssl x509 command.


Find your cause

Likely cause Clues Go to
HTML or plain text file Browser-saved page, README, or error log with .crt extension HTML or text file
Private key passed to -importcert File starts with -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- Private key as certificate
PEM contains cert and private key Exported .pem / .pfx conversion left both blocks in one file Combined PEM file
PKCS12/PFX file passed to -importcert File is .pfx or .p12; keystore container, not plain certificate input PFX or PKCS12 passed to importcert
PKCS7 / P7B bundle confusion Vendor sent .p7b; file may be valid chain data but wrong workflow or encoding PKCS7 bundle confusion
Malformed PEM boundaries Extra spaces after BEGIN CERTIFICATE, broken copy-paste, truncated Base64 Malformed PEM format
Error output saved as .crt keytool -printcert or openssl stderr redirected into the import file Error message in the file
Multi-certificate PEM bundle ca-bundle.crt with several BEGIN CERTIFICATE blocks Multiple certificates in one file

HTML or plain text instead of a certificate

Download pages and control panels sometimes save an HTML wrapper instead of the raw certificate. Pointing keytool at that file fails immediately:

bash
keytool -importcert -alias bad -file page.html \
  -keystore trust.p12 -storetype PKCS12 -storepass changeit -noprompt
text
keytool error: java.lang.Exception: Input not an X.509 certificate

Open the file in a text editor. You want lines that start with -----BEGIN CERTIFICATE-----, not <html> or human-readable error text.

Fix:

  1. Re-download the certificate in PEM or DER form from the CA or appliance.
  2. Run openssl x509 -in suspect.pem -noout -text for PEM — if OpenSSL cannot parse it, keytool will not either. For DER files, use openssl x509 -inform DER -in cert.der -noout -text.
  3. Use keytool -printcert -file fixed.pem as a quick pre-check before -importcert.

Private key file passed to -importcert

-importcert creates a trustedCertEntry (or installs a signed reply onto an existing private-key alias). It does not accept a standalone private key file:

bash
keytool -importcert -alias badkey -file privkey.pem \
  -keystore trust.p12 -storetype PKCS12 -storepass changeit -noprompt
text
keytool error: java.lang.Exception: Input not an X.509 certificate

A private key PEM looks like:

text
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Fix by choosing the right workflow:

Goal Tooling
Trust a remote server CA Import the certificate (public) only with -importcert

Never point -importcert -file at privkey.pem or key.pem.


PEM file with private key and certificate

A common export mistake leaves both blocks in one file:

text
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
bash
keytool -importcert -alias combined -file combined.pem \
  -keystore trust.p12 -storetype PKCS12 -storepass changeit -noprompt
text
keytool error: java.lang.Exception: Input not an X.509 certificate

keytool -importcert on a trust import expects certificate material only. A private-key block before the certificate breaks parsing for that workflow.

Fix for trust import — extract the certificate only:

bash
openssl x509 -in combined.pem -out certonly.pem
keytool -importcert -alias ca -file certonly.pem \
  -keystore trust.p12 -storetype PKCS12 -storepass changeit -noprompt
text
Certificate was added to keystore

Fix for server identity — do not use -importcert on the combined file; build PKCS12 with openssl pkcs12 -export instead.


PFX or PKCS12 file passed to importcert

A .pfx or .p12 file is a PKCS12 keystore container. Do not import it with keytool -importcert.

If you want to import the identity into Java:

bash
keytool -importkeystore \
  -srckeystore server.pfx -srcstoretype PKCS12 -srcstorepass SRC \
  -destkeystore server.p12 -deststoretype PKCS12 -deststorepass DEST

If you only need the public certificate for a truststore, extract it first:

bash
openssl pkcs12 -in server.pfx -nokeys -out cert.pem -passin pass:SRC

keytool -importcert -alias server -file cert.pem \
  -keystore trust.p12 -storetype PKCS12 -storepass changeit -noprompt

See Import PKCS12/PFX into Java keystore for the full identity path.


PKCS7 or P7B bundle confusion

Some CAs deliver PKCS#7 (.p7b / .p7c) files. keytool -importcert can import PKCS#7 certificate chains when the file is a valid certificate reply or chain. Failures usually happen when the file is malformed, encoded differently than expected, or when you are trying to treat a whole chain as one normal trusted certificate alias.

Pre-check the file:

bash
keytool -printcert -file bundle.p7b
openssl pkcs7 -print_certs -in bundle.p7b -out chain.pem

If keytool -printcert fails but OpenSSL can extract certificates, import the extracted PEM certificates individually for a truststore, or use the certificate chain workflow when updating an existing private-key alias.

When a valid .p7b still fails on your JDK build, extract PEM certs with OpenSSL and import one trusted certificate per alias.


Malformed PEM boundaries and copy-paste

Stricter JDK builds enforce RFC 7468 PEM text rules. Extra characters on the BEGIN / END lines — especially a space after -----BEGIN CERTIFICATE----- — can cause parse failures on some Java versions.

Symptoms:

  • openssl x509 fails or warns on the same file
  • keytool -printcert reports Failed to parse input or Input not an X.509 certificate

Fix:

  1. Edit the PEM so BEGIN and END lines contain only the marker text (no trailing spaces).
  2. Convert to DER and import binary form:
bash
openssl x509 -in broken.pem -outform der -out cert.der
keytool -importcert -alias ca -file cert.der \
  -keystore trust.p12 -storetype PKCS12 -storepass changeit -noprompt
  1. Re-export from OpenSSL or the CA rather than hand-editing Base64.

Windows copy-paste sometimes adds a UTF-8 BOM or \r only lines — file cert.pem on Linux helps spot ASCII text vs HTML vs UTF-8 Unicode.


Error output saved as a certificate file

A frequent pipeline bug redirects stderr into the certificate path:

bash
keytool -printcert -file missing.pem > saved.crt 2>&1

If saved.crt contains keytool error: text, the next import fails:

bash
keytool -importcert -alias fake -file saved.crt \
  -keystore trust.p12 -storetype PKCS12 -storepass changeit -noprompt
text
keytool error: java.lang.Exception: Input not an X.509 certificate

Always inspect the file before import:

bash
head -5 saved.crt
keytool -printcert -file saved.crt

Only proceed when printcert shows Owner, Issuer, and fingerprints.


Multiple certificates in one PEM file

A PEM bundle (ca-bundle.crt, fullchain.pem) can contain several BEGIN CERTIFICATE blocks. This is valid certificate data, but the correct import method depends on the goal.

Goal Recommended import
Add trusted CA certificates to a truststore Split the bundle and import one trusted certificate per alias
Install a CA reply for an existing private-key alias Import the leaf certificate or ordered chain onto the CSR alias
Build a server identity keystore from cert + private key Use openssl pkcs12 -export, then keytool -importkeystore

For truststores, importing the entire fullchain.pem under one alias is usually not what you want. Import the root/intermediate CA certificates separately, or follow Import certificate chain.

Verify a split certificate before import:

bash
keytool -printcert -file intermediate.pem
text
Owner: CN=Intermediate CA, ...
Issuer: CN=Root CA, ...

Quick lab reproduction

To see the error safely, create a valid cert, then import the wrong file type.

Valid baseline:

bash
mkdir -p ~/x509-lab && cd ~/x509-lab
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out good.pem -days 1 \
  -nodes -subj "/CN=good" 2>/dev/null

keytool -importcert -alias good -file good.pem \
  -keystore lab.p12 -storetype PKCS12 -storepass changeit -noprompt
text
Certificate was added to keystore

Import HTML:

bash
echo '<html>not a cert</html>' > page.html
keytool -importcert -alias bad -file page.html \
  -keystore lab.p12 -storetype PKCS12 -storepass changeit -noprompt
text
keytool error: java.lang.Exception: Input not an X.509 certificate

Import the private key file:

bash
keytool -importcert -alias badkey -file key.pem \
  -keystore lab.p12 -storetype PKCS12 -storepass changeit -noprompt
text
keytool error: java.lang.Exception: Input not an X.509 certificate

Run only in a throwaway directory.


Distinguish from other keytool errors

Error Meaning Guide
Input not an X.509 certificate File is not a parseable X.509 cert This page
Failed to parse input PEM/DER bytes malformed (related family) Malformed PEM

References


Summary

Input not an X.509 certificate means keytool could not parse the -file argument as certificate input. Start with the cause table: HTML or text, a private key, a PKCS12/PFX container, a combined PEM, PKCS7 workflow mismatch, malformed boundaries, stderr saved as .crt, or a multi-cert bundle used the wrong way. Verify with keytool -printcert or openssl x509, match the import method to your goal, and use keytool -importkeystore when the file is a PKCS12 identity container.


Frequently Asked Questions

1. What does Input not an X.509 certificate mean in keytool?

keytool could not parse the -file argument as certificate input — PEM/DER X.509, a valid PKCS#7 chain, or an expected certificate reply. Common mistakes are HTML, a private key block, a PKCS12/PFX container passed to -importcert, malformed PEM text, or stderr saved as a .crt file.

2. Can keytool import a PEM file that contains both a private key and a certificate?

For trustedCertEntry imports, use only the certificate block and remove any private key section. For identity keystores, use openssl pkcs12 -export and keytool -importkeystore. See Import PEM private key into Java keystore for the full identity path.

3. Does keytool accept PKCS7 or P7B files with -importcert?

Yes when the PKCS#7 file is a valid certificate reply or chain in an encoding keytool accepts. Failures usually mean the bundle is malformed, encoded unexpectedly, or you are importing it as one normal trusted alias instead of using a chain-reply workflow. Pre-check with keytool -printcert or extract PEM certs with openssl pkcs7 -print_certs.

4. How do I verify a file is a valid certificate before importing?

For PEM certificates, run openssl x509 -in file.pem -noout -text or keytool -printcert -file file.pem. For DER, add -inform DER with openssl. For PKCS7/P7B, use keytool -printcert -file bundle.p7b or openssl pkcs7 -print_certs. If these fail, the file is not usable certificate input for the workflow.

5. Is this error the same as Failed to establish chain from reply?

No. Input not an X.509 certificate fails before keytool accepts the file format. Failed to establish chain from reply means the file was a valid signed certificate reply but the issuer CA is missing from the keystore.

6. Can CRLF line endings cause this error?

Unusual line endings alone rarely cause this message if the PEM boundaries and Base64 body are intact. More often the file contains non-certificate content, a private key block, or stray characters immediately after the BEGIN CERTIFICATE PEM header line that break RFC 7468 parsing on stricter JDK builds.
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …