1

I get the public cert from secure URL as below:

openssl s_client -showcerts -verify 5 -connect portal.myshop.com:9043 < /dev/null | openssl x509 -pubkey -noout>/home/app/portalpublic.crt

and then add the public cert to trust store using the below command:

keytool -import -alias portalpubliccert -file /home/app/portalpublic.crt -storetype JKS -keystore cacerts

However, i get the below error in doing so:

Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate

Can you please suggest how can i fix this issue ?

cat -ev /home/app/portalpublic.crt

-----BEGIN PUBLIC KEY-----$
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6iAD/I9U2kKAqEokzEkA$
b2QmPQb73A/bA9YD+I+pqEkqtwQmpe6Oiu3+mx2ppA/NXG2QqNb4IfpVEgRrQygG$
6giuhMikPRq6PQ7wywfxWaPkJDDcrLg7Dn8v3l5XgpeaFZN1KSGMDpdrsEpSlxFS$
ZaxDKUfySyjppsC9GV4Lv1IXET5sSmfYw2RqCkO/Q8zcItVkzjZIBw8Y/eVrloGm$
AnQj89cLJbDFq2VogVjMGdOSGQc7cQ0ZZAyrv0XV4hKpi9taiNNXv0ZKWuvk1oFo$
GyfildXPnVKORxSx6d865kj93fCsEXlLjJ1c8xHVr992hEWlWVthByqpTB7DVccj$
xQIDAQAB$
-----END PUBLIC KEY-----$
Improve this question
2
  • A public key is not a certificate. Off topic. Commented Sep 14, 2020 at 9:51
  • I get this error on a Temurin JDK but NOT on a older OpenJDK. Wierd. Commented Apr 20, 2022 at 19:00

1 Answer 1

Reset to default
1

Meta: this is not a programming or development problem, issue or question, and nowadays is likely to be closed. It would probably be suitable on security.SX or superuser.

I get the public cert from secure URL as below:

openssl s_client ... | openssl x509 -pubkey ...

NO YOU DIDN'T. You got the public key not the cert. The publickey is only a publickey and is not a cert, and a cert is not just a publickey although a cert (of the type here) contains a publickey. Also, you didn't get it 'from a URL'. You got it from a domain name, or more exactly from the host at or apparently at a domain name. A domain name is not a URL; some URLs (not all!) contain a domain name, but they are different things.

keytool -import ... -file ...

keytool -import[cert] requires a certificate. A publickey is not a certificate. That's why the error message says the input is not a certificate -- because it isn't.

A Java keystore can store a certificate, specifically an X.509/PKIX-type certificate, as a trustedCertEntry, but it cannot store a bare publickey. If you want to store a certificate from the given URL in a keystore, get and then import the certificate -- NOT the publickey. If for some reason you want to store only the publickey, which is basically useless if it's not linked to the other information in the certificate, don't use a Java keystore and don't use keytool.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Got it Dave and thanks but can you share the command to get the certificate from the URL? Meanwhile I will search the Web.
I tried echo | openssl s_client -servername myshop -connect portal.myshop.com:9043 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > portalpublic.crt but getting the same error.
That should work, and routinely does for me and (based on postings) at least thousands, probably millions, of other people. Look at the file: does it actually contain as expected the BEGIN line, base64 data, and END line? Can you add it to your Q (obviously if all details of your server are totally secret you can't)?
@djangofan: Temurin is OpenJDK. First make sure this really is a certificate (a file named .pem might not actually be PEM, and many PEM files are not certificates). If so ask a new question where this is appropriate, probably superuser or security.SX, and provide the cert, and say what error(s) you are getting and exactly what versions you are using to (try to) make it reproducible.
Turns out i was getting this error trying to download /_explorer/explorer.pem from cosmosdb, but my curl statement was whacked and it was downloading some html. (accident)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.