You run keytool -importcert, keytool -printcert, or a vendor script that wraps keytool — and it stops with Input not an X.509 certificate. The keystore password is fine; keytool rejects the file before it can create a trustedCertEntry or process a certificate reply.
Use the table below to jump to the cause that fits your file. Each section explains what went wrong and how to fix it. For importing identity material (cert plus private key), see Import PEM private key into Java keystore instead of forcing -importcert.
Tested on: Ubuntu 26.04 LTS; OpenJDK 25.0.3; kernel 7.0.0-27-generic.
Prerequisites
- OpenJDK with
keytool— Install keytool on Ubuntu — see keytool command. opensslto pre-check file format before import (OpenSSL).
What the error actually means
keytool -importcert -file PATH and keytool -printcert -file PATH expect parseable certificate data: a PEM/DER X.509 certificate, or in certificate-reply workflows, a valid certificate chain such as PKCS#7 or a sequence of X.509 certificates.
For most truststore imports, keep one certificate per alias. If the file starts with HTML, a private key block, broken PEM text, or a PKCS12/PFX binary, keytool cannot parse it as certificate input and reports:
keytool error: java.lang.Exception: Input not an X.509 certificateThis is a format problem at parse time — not a wrong keystore password (keystore tampered guide), not a CSR alias mismatch (public keys mismatch), and not a missing CA chain (chain from reply).
Quick pre-check
Before importing, identify the file — the same PEM and DER checks as view a certificate with OpenSSL:
file certificate-file
head -5 certificate-file
keytool -printcert -file certificate-file
openssl x509 -in certificate-file -noout -subject -issuerUse the result:
| Result | Meaning |
|---|---|
BEGIN CERTIFICATE |
PEM certificate |
BEGIN PRIVATE KEY |
Private key, not for -importcert |
<html> |
Downloaded page, not certificate |
.p12 / .pfx / binary data |
Use -importkeystore or extract the public cert |
keytool -printcert works |
Certificate input is parseable |
For DER/binary .cer files, add -inform DER to the openssl x509 command.
Find your cause
| Likely cause | Clues | Go to |
|---|---|---|
| HTML or plain text file | Browser-saved page, README, or error log with .crt extension |
HTML or text file |
Private key passed to -importcert |
File starts with -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- |
Private key as certificate |
| PEM contains cert and private key | Exported .pem / .pfx conversion left both blocks in one file |
Combined PEM file |
PKCS12/PFX file passed to -importcert |
File is .pfx or .p12; keystore container, not plain certificate input |
PFX or PKCS12 passed to importcert |
| PKCS7 / P7B bundle confusion | Vendor sent .p7b; file may be valid chain data but wrong workflow or encoding |
PKCS7 bundle confusion |
| Malformed PEM boundaries | Extra spaces after BEGIN CERTIFICATE, broken copy-paste, truncated Base64 |
Malformed PEM format |
Error output saved as .crt |
keytool -printcert or openssl stderr redirected into the import file |
Error message in the file |
| Multi-certificate PEM bundle | ca-bundle.crt with several BEGIN CERTIFICATE blocks |
Multiple certificates in one file |
HTML or plain text instead of a certificate
Download pages and control panels sometimes save an HTML wrapper instead of the raw certificate. Pointing keytool at that file fails immediately:
keytool -importcert -alias bad -file page.html \
-keystore trust.p12 -storetype PKCS12 -storepass changeit -nopromptkeytool error: java.lang.Exception: Input not an X.509 certificateOpen the file in a text editor. You want lines that start with -----BEGIN CERTIFICATE-----, not <html> or human-readable error text.
Fix:
- Re-download the certificate in PEM or DER form from the CA or appliance.
- Run
openssl x509 -in suspect.pem -noout -textfor PEM — if OpenSSL cannot parse it, keytool will not either. For DER files, useopenssl x509 -inform DER -in cert.der -noout -text. - Use
keytool -printcert -file fixed.pemas a quick pre-check before-importcert.
Private key file passed to -importcert
-importcert creates a trustedCertEntry (or installs a signed reply onto an existing private-key alias). It does not accept a standalone private key file:
keytool -importcert -alias badkey -file privkey.pem \
-keystore trust.p12 -storetype PKCS12 -storepass changeit -nopromptkeytool error: java.lang.Exception: Input not an X.509 certificateA private key PEM looks like:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----Fix by choosing the right workflow:
| Goal | Tooling |
|---|---|
| Trust a remote server CA | Import the certificate (public) only with -importcert |
Never point -importcert -file at privkey.pem or key.pem.
PEM file with private key and certificate
A common export mistake leaves both blocks in one file:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----keytool -importcert -alias combined -file combined.pem \
-keystore trust.p12 -storetype PKCS12 -storepass changeit -nopromptkeytool error: java.lang.Exception: Input not an X.509 certificatekeytool -importcert on a trust import expects certificate material only. A private-key block before the certificate breaks parsing for that workflow.
Fix for trust import — extract the certificate only:
openssl x509 -in combined.pem -out certonly.pem
keytool -importcert -alias ca -file certonly.pem \
-keystore trust.p12 -storetype PKCS12 -storepass changeit -nopromptCertificate was added to keystoreFix for server identity — do not use -importcert on the combined file; build PKCS12 with openssl pkcs12 -export instead.
PFX or PKCS12 file passed to importcert
A .pfx or .p12 file is a PKCS12 keystore container. Do not import it with keytool -importcert.
If you want to import the identity into Java:
keytool -importkeystore \
-srckeystore server.pfx -srcstoretype PKCS12 -srcstorepass SRC \
-destkeystore server.p12 -deststoretype PKCS12 -deststorepass DESTIf you only need the public certificate for a truststore, extract it first:
openssl pkcs12 -in server.pfx -nokeys -out cert.pem -passin pass:SRC
keytool -importcert -alias server -file cert.pem \
-keystore trust.p12 -storetype PKCS12 -storepass changeit -nopromptSee Import PKCS12/PFX into Java keystore for the full identity path.
PKCS7 or P7B bundle confusion
Some CAs deliver PKCS#7 (.p7b / .p7c) files. keytool -importcert can import PKCS#7 certificate chains when the file is a valid certificate reply or chain. Failures usually happen when the file is malformed, encoded differently than expected, or when you are trying to treat a whole chain as one normal trusted certificate alias.
Pre-check the file:
keytool -printcert -file bundle.p7b
openssl pkcs7 -print_certs -in bundle.p7b -out chain.pemIf keytool -printcert fails but OpenSSL can extract certificates, import the extracted PEM certificates individually for a truststore, or use the certificate chain workflow when updating an existing private-key alias.
When a valid .p7b still fails on your JDK build, extract PEM certs with OpenSSL and import one trusted certificate per alias.
Malformed PEM boundaries and copy-paste
Stricter JDK builds enforce RFC 7468 PEM text rules. Extra characters on the BEGIN / END lines — especially a space after -----BEGIN CERTIFICATE----- — can cause parse failures on some Java versions.
Symptoms:
openssl x509fails or warns on the same filekeytool -printcertreportsFailed to parse inputorInput not an X.509 certificate
Fix:
- Edit the PEM so
BEGINandENDlines contain only the marker text (no trailing spaces). - Convert to DER and import binary form:
openssl x509 -in broken.pem -outform der -out cert.der
keytool -importcert -alias ca -file cert.der \
-keystore trust.p12 -storetype PKCS12 -storepass changeit -noprompt- Re-export from OpenSSL or the CA rather than hand-editing Base64.
Windows copy-paste sometimes adds a UTF-8 BOM or \r only lines — file cert.pem on Linux helps spot ASCII text vs HTML vs UTF-8 Unicode.
Error output saved as a certificate file
A frequent pipeline bug redirects stderr into the certificate path:
keytool -printcert -file missing.pem > saved.crt 2>&1If saved.crt contains keytool error: text, the next import fails:
keytool -importcert -alias fake -file saved.crt \
-keystore trust.p12 -storetype PKCS12 -storepass changeit -nopromptkeytool error: java.lang.Exception: Input not an X.509 certificateAlways inspect the file before import:
head -5 saved.crt
keytool -printcert -file saved.crtOnly proceed when printcert shows Owner, Issuer, and fingerprints.
Multiple certificates in one PEM file
A PEM bundle (ca-bundle.crt, fullchain.pem) can contain several BEGIN CERTIFICATE blocks. This is valid certificate data, but the correct import method depends on the goal.
| Goal | Recommended import |
|---|---|
| Add trusted CA certificates to a truststore | Split the bundle and import one trusted certificate per alias |
| Install a CA reply for an existing private-key alias | Import the leaf certificate or ordered chain onto the CSR alias |
| Build a server identity keystore from cert + private key | Use openssl pkcs12 -export, then keytool -importkeystore |
For truststores, importing the entire fullchain.pem under one alias is usually not what you want. Import the root/intermediate CA certificates separately, or follow Import certificate chain.
Verify a split certificate before import:
keytool -printcert -file intermediate.pemOwner: CN=Intermediate CA, ...
Issuer: CN=Root CA, ...Quick lab reproduction
To see the error safely, create a valid cert, then import the wrong file type.
Valid baseline:
mkdir -p ~/x509-lab && cd ~/x509-lab
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out good.pem -days 1 \
-nodes -subj "/CN=good" 2>/dev/null
keytool -importcert -alias good -file good.pem \
-keystore lab.p12 -storetype PKCS12 -storepass changeit -nopromptCertificate was added to keystoreImport HTML:
echo '<html>not a cert</html>' > page.html
keytool -importcert -alias bad -file page.html \
-keystore lab.p12 -storetype PKCS12 -storepass changeit -nopromptkeytool error: java.lang.Exception: Input not an X.509 certificateImport the private key file:
keytool -importcert -alias badkey -file key.pem \
-keystore lab.p12 -storetype PKCS12 -storepass changeit -nopromptkeytool error: java.lang.Exception: Input not an X.509 certificateRun only in a throwaway directory.
Distinguish from other keytool errors
| Error | Meaning | Guide |
|---|---|---|
Input not an X.509 certificate |
File is not a parseable X.509 cert | This page |
Failed to parse input |
PEM/DER bytes malformed (related family) | Malformed PEM |
References
- keytool documentation (Oracle)
- RFC 7468 — Textual Encodings of PKIX, PKCS, and CMS Structures
Summary
Input not an X.509 certificate means keytool could not parse the -file argument as certificate input. Start with the cause table: HTML or text, a private key, a PKCS12/PFX container, a combined PEM, PKCS7 workflow mismatch, malformed boundaries, stderr saved as .crt, or a multi-cert bundle used the wrong way. Verify with keytool -printcert or openssl x509, match the import method to your goal, and use keytool -importkeystore when the file is a PKCS12 identity container.

