Java keytool 错误:java.lang.Exception:输入的不是 X.509 证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24409169/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java keytool error: java.lang.Exception: Input not an X.509 certificate
提问by Arun Kumar
To make a SSL connection with some server, whenever i run following command, followed by key-store default password "changeit" in windows to import the certificate in java keystore, following error occurred:
要与某个服务器建立 SSL 连接,每当我运行以下命令,然后在 Windows 中执行密钥库默认密码“ changeit”以将证书导入 java 密钥库时,就会发生以下错误:
COMMAND :
命令 :
keytool -import -file "E:\postgrescert\server.crt" -keypass changeit -keystore "C:\Java\JDK\jre\lib\security\cacerts" -alias pgssslninet
ERROR:
错误:
keytool error: java.lang.Exception: Input not an X.509 certificate
The server.crtis having below content:
所述server.crt这由具有以下内容:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:ea:8c:61:61:0a:7d:69
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/[email protected]
Validity
Not Before: Jun 14 23:59:25 2013 GMT
Not After : Jul 14 23:59:25 2013 GMT
Subject: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:7c:dd:6e:5f:98:85:52:b4:13:45:2d:69:26:
61:6c:d7:ad:d6:12:27:bf:e1:07:53:a4:76:27:29:
ca:3d:82:e5:63:8c:9e:a5:b0:24:f6:77:86:92:ab:
42:e5:26:8a:4a:ea:ea:4a:65:20:a1:3b:05:c7:e0:
31:8e:4c:6e:e5:9e:e4:9c:de:05:02:b3:59:70:00:
df:fb:b9:62:e1:5b:8e:1b:29:2d:7c:41:86:41:a9:
9e:24:f8:65:54:8c:cf:44:c4:7b:fa:12:b4:84:d1:
d7:d7:2f:14:32:f9:2e:7b:c2:d8:0b:35:c9:f5:8b:
64:ed:cf:84:6e:bf:97:d0:44:7b:6b:67:c6:5b:6f:
92:5d:f6:d7:01:b6:ba:96:37:c8:3b:f8:be:01:b5:
02:d1:6b:21:67:83:c8:fd:37:bd:70:e5:c1:e4:81:
b0:42:a9:04:b1:3d:33:4c:43:2b:33:cc:50:65:1e:
c0:15:8d:e3:5f:b0:9c:d9:04:09:18:e7:8f:80:56:
6f:45:1d:0a:c2:2d:02:7e:67:2a:8a:1b:73:4a:db:
80:e0:52:d6:33:23:c7:aa:48:b0:5c:ad:7f:8c:96:
7c:d4:84:61:4d:ae:d3:9c:ef:59:c1:bd:71:83:c3:
5e:a4:04:84:8f:cd:76:82:3a:86:43:ab:c1:f4:e9:
02:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7
X509v3 Authority Key Identifier:
keyid:C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
6b:2f:5f:33:f8:bb:55:66:c3:48:c9:ae:64:c1:89:5b:e1:54:
9a:bc:ae:34:87:7e:bc:e7:30:26:9e:65:58:42:79:19:e2:ee:
93:2a:c7:2d:a9:45:b4:1c:7b:5f:5a:ec:12:e3:76:38:c5:44:
aa:7f:bd:60:b6:a6:83:90:68:9d:8f:1c:7a:69:4a:58:a8:55:
5a:36:9e:e3:69:76:50:0e:4c:30:54:11:4c:de:10:91:6f:aa:
49:34:19:1c:96:cb:8a:6c:fd:df:19:ed:e1:84:2b:05:12:68:
e6:af:c5:59:c2:61:ca:10:2c:8e:cc:0a:34:7e:08:e5:22:ac:
01:fd:fc:4d:16:4f:66:29:58:ac:8e:25:79:3d:de:b6:ef:55:
6e:26:c5:75:9d:6d:57:4e:02:89:b8:c1:b8:47:b7:09:9b:07:
cf:5b:a3:bc:a3:6b:ef:a1:4c:95:a0:be:0f:d4:63:fe:35:c6:
c6:42:10:0b:28:13:02:a3:6e:b3:bf:ae:57:a8:bd:a1:25:6a:
2d:cd:c7:20:64:4b:2e:f2:b2:c9:5c:85:cf:6f:de:39:86:84:
94:d3:01:c5:25:b7:ec:65:1b:5f:93:ec:9d:cc:81:fa:c7:34:
fc:e4:e2:5c:3f:4b:cc:83:bb:f0:67:88:1f:f6:a1:3b:9e:00:
7b:ba:b2:79
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJAKHqjGFhCn1pMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB0ZyZW1vbnQxEjAQBgNVBAoM
CURhdGFndWlzZTELMAkGA1UECwwCSVQxFDASBgNVBAMMC0NvbW1vbiBOYW1lMSgw
JgYJKoZIhvcNAQkBFhlzcmluaS5zdWJyYUBkYXRhZ3Vpc2UuY29tMB4XDTEzMDYx
NDIzNTkyNVoXDTEzMDcxNDIzNTkyNVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJDQTEQMA4GA1UEBwwHRnJlbW9udDESMBAGA1UECgwJRGF0YWd1aXNlMQswCQYD
VQQLDAJJVDEUMBIGA1UEAwwLQ29tbW9uIE5hbWUxKDAmBgkqhkiG9w0BCQEWGXNy
aW5pLnN1YnJhQGRhdGFndWlzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDefN1uX5iFUrQTRS1pJmFs163WEie/4QdTpHYnKco9guVjjJ6lsCT2
d4aSq0LlJopK6upKZSChOwXH4DGOTG7lnuSc3gUCs1lwAN/7uWLhW44bKS18QYZB
qZ4k+GVUjM9ExHv6ErSE0dfXLxQy+S57wtgLNcn1i2Ttz4Ruv5fQRHtrZ8Zbb5Jd
9tcBtrqWN8g7+L4BtQLRayFng8j9N71w5cHkgbBCqQSxPTNMQyszzFBlHsAVjeNf
sJzZBAkY54+AVm9FHQrCLQJ+ZyqKG3NK24DgUtYzI8eqSLBcrX+MlnzUhGFNrtOc
71nBvXGDw16kBISPzXaCOoZDq8H06QLVAgMBAAGjUDBOMB0GA1UdDgQWBBTBT/ou
j/M2/q6bEnPHCMlZllNxpzAfBgNVHSMEGDAWgBTBT/ouj/M2/q6bEnPHCMlZllNx
pzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBrL18z+LtVZsNIya5k
wYlb4VSavK40h3685zAmnmVYQnkZ4u6TKsctqUW0HHtfWuwS43Y4xUSqf71gtqaD
kGidjxx6aUpYqFVaNp7jaXZQDkwwVBFM3hCRb6pJNBkclsuKbP3fGe3hhCsFEmjm
r8VZwmHKECyOzAo0fgjlIqwB/fxNFk9mKVisjiV5Pd6271VuJsV1nW1XTgKJuMG4
R7cJmwfPW6O8o2vvoUyVoL4P1GP+NcbGQhALKBMCo26zv65XqL2hJWotzccgZEsu
8rLJXIXPb945hoSU0wHFJbfsZRtfk+ydzIH6xzT85OJcP0vMg7vwZ4gf9qE7ngB7
urJ5
-----END CERTIFICATE-----
Can anyone help me to locate the exact issue behind this error.
谁能帮我找到这个错误背后的确切问题。
PS :When i removed every thing above -----BEGIN CERTIFICATE-----, it get successfully imported. Does the information above -----BEGIN CERTIFICATE-----is really required. Please help.
PS:当我删除上面的所有内容时-----BEGIN CERTIFICATE-----,它会成功导入。以上信息-----BEGIN CERTIFICATE-----是否真的需要。请帮忙。
Regards,
问候,
Arun
阿伦
采纳答案by jww
Can anyone help me to locate the exact issue behind this error.
谁能帮我找到这个错误背后的确切问题。
Keytoolcan handle two formats. One is ASN.1/DER encoding, which looks like binary data under a hex editor. The other is RFC 1421, Certificate Encoding Standard, which is a Base64 encoding of the certificate. See the docs on the Keytoolat the Solaris site.
Keytool可以处理两种格式。一种是 ASN.1/DER 编码,它在十六进制编辑器下看起来像二进制数据。另一个是 RFC 1421,证书编码标准,它是证书的 Base64 编码。请参阅Solaris 站点上Keytool上的文档。
When i removed every thing above
-----BEGIN CERTIFICATE-----, it get successfully imported. Does the information above-----BEGIN CERTIFICATE-----is really required.
当我删除上面的所有内容时
-----BEGIN CERTIFICATE-----,它会成功导入。以上信息-----BEGIN CERTIFICATE-----是否真的需要。
The format you describe above is Internet RFC 1421 Certificate Encoding Standard. Keytoolshould be able to handle the format. The manual clearly states that format is allowed:
您上面描述的格式是 Internet RFC 1421 证书编码标准。Keytool应该能够处理格式。手册明确指出允许使用格式:
Certificates are often stored using the printable encoding format defined by the Internet RFC 1421 standard, instead of their binary encoding. This certificate format, also known as "Base 64 encoding", facilitates exporting certificates to other applications by email or through some other mechanism. ...
Certificates read by the
-importand-printcertcommands can be in either this format or binary encoded.
证书通常使用 Internet RFC 1421 标准定义的可打印编码格式存储,而不是使用二进制编码。这种证书格式,也称为“Base 64 编码”,便于通过电子邮件或其他一些机制将证书导出到其他应用程序。...
-import和-printcert命令读取的证书可以采用这种格式或二进制编码。
In the above, the "this format" is RFC 1421. The "binary encoded" is ASN.1/DER.
在上面,“这种格式”是RFC 1421。“二进制编码”是ASN.1/DER。
With that said, the certificate looks like a client certificate since it has a PKCS#9 email address in the Common Name, and it does not have a DNS name (like example.com). Yet is also has a Basic Constraintof CA=TRUE.
话虽如此,该证书看起来像一个客户端证书,因为它在 中有一个 PKCS#9 电子邮件地址Common Name,并且它没有 DNS 名称(如example.com)。然而也是有一个Basic Constraint的CA=TRUE。
Placing email addresses and DNS names in the Common Namefield is deprecated by both the IETF and CA/B Forums. Those names should be placed in Subject Alternate Namefield. Use the Common Namefor a friendly name or a display name like "John Doe" or "Datametrics".
Common NameIETF 和 CA/B 论坛都不赞成在该字段中放置电子邮件地址和 DNS 名称。这些名称应放在Subject Alternate Name字段中。将Common Name用于友好名称或显示名称,如“John Doe”或“Datametrics”。
Java also seems to follow the IETF standards closer than most others (others meaning tools and libraries; and not standards). But the RFCs tend to run fast and loose, and I don't recall the PKCS#9 email address/CA=TRUEflag being prohibited.
Java 似乎也比大多数其他标准更接近 IETF 标准(其他意味着工具和库;而不是标准)。但是 RFC 往往快速而松散,我不记得 PKCS#9 电子邮件地址/CA=TRUE标志被禁止。
That issue may affect its import-ability. Bruno or EJP would probably know for certain.
该问题可能会影响其进口能力。布鲁诺或 EJP 可能肯定知道。
回答by ExpertNoob1
Same problem here. I just added an empty line at the end and keytool was happy.
同样的问题在这里。我只是在最后添加了一个空行,keytool 很高兴。
