This Article consists of advanced troubleshooting to a very problematic issue that comes up with versions of Keytool when installing an SSL certificate. There can be numerous causes for this issue.

By all normal means when following SSL Installation Instructions for Tomcat using pkcs7 or SSL Installation Instructions for Tomcat using x.509 the user should have a smooth installation, but user may receive the following error message.


During installation of an SSL Certificate on a Tomcat/jBoss system you may get the following error using keytool:

Error: “java.lang.Exception: Input not an X.509 certificate.”


The cause of this error can happen for any of the following reasons.

  • Your version of Tomcat keytool will not accept a pkcs7/.p7b format certificate.
  • The certificate that you are importing into your keystore contains extra spaces. When keytool reads this file it sees the extra characters in its coding and Keytool is unable to read the certificate file.
  • You are installing a CSR or some other file instead of a x.509.
  • You can only install your SSL Certificate into the same keystore that was used to generate the CSR created to enroll for the SSL Certificate.
    • Conversions without a private key or taking an SSL Certificate that was created by means outside of the normal CSR Keytool generation will cause chaos during installation, and Keytool will display any error.


If you receive this error when you are installing an SSL Certificate from any CA Into your keystore troubleshoot the following..

  1. Make sure that your certificate files you are creating to install into your keystore are clean and flush with no extra spaces.
    Opening your certificate file in notepad Do note use notepad++ words, etc. advanced document editors can add characters to your certificate.

    1. All certificate files should look like the example to the right.
    2. The —-Begin Certificate—- and the —-End Certificate—– Header and footers should be on their own lines.
    3. Notice that there are no double spaces in between lines or in between the coding.
    4. If you see irregularities with your certificate compared to the example provided then edit it to make it look like such.
  2. An x.509 certificate will look like the example provided.
    If your header and footer say —Begin Certificate Request— and —-End Certificate Request—- then it means you have been installing your CSR the whole time, thus the error. Find your SSL Certificate that has been misplaced.
  3. An SSL Certificate created from a CSR outside a Keytool environment is going to lead to a bad time.
    Conversions never work quite well with keytool or Oracle keystore/wallet type environments. Standard practice for is Keystore generation using Keytool > CSR creation from that Keystore > Enrollment of the SSL Certificate from the CA > Install the SSL Certificate issued from the CA.Below are Instruction on the X.509 Tomcat installation.
    SSL Installation instructions for Tomcat using X509

These instructions are created out of troubleshooting experience in dealing with the many issues of Keytool. If you are unable to use these instructions for your server, or you are still having issues with Keytool/Tomcat Acmetek recommends that you contact either the vendor of your software or the organization that supports it.

Oracle Support:
For more information, please refer to Keytool Support

LoadingAdd to favorites

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.