1 2 Previous Next 16 Replies Latest reply: Jun 19, 2007 9:58 AM by 843811 RSS

    Error Importing Certificate file Using Keytool

    843811
      Hello Folks

      I am trying to import a certificate file provided by our Ldap Admin,
      I get the following error

      Please let me know if you have an idea why am i getting it.
      Does the size of the Key file matter ?? it s around 4kb

      C:\j2sdk1.4.2_08\jre\lib\security>keytool -import -alias ldapsecurity -trustcace
      rts -file SOTROOT.cer -storepass changeit -noprompt -keystore ldapstore
      sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an obj
      ect ID (tag = 48)
      at sun.security.pkcs.PKCS7.parse(PKCS7.java:118)
      at sun.security.pkcs.PKCS7.<init>(PKCS7.java:68)
      at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.ja
      va:530)
      at sun.security.provider.X509Factory.engineGenerateCertificates(X509Fact
      ory.java:407)
      at java.security.cert.CertificateFactory.generateCertificates(Certificat
      eFactory.java:511)
      at sun.security.tools.KeyTool.installReply(KeyTool.java:1193)
      at sun.security.tools.KeyTool.doCommands(KeyTool.java:504)
      at sun.security.tools.KeyTool.run(KeyTool.java:124)
      at sun.security.tools.KeyTool.main(KeyTool.java:118)
      Caused by: java.io.IOException: X509.ObjectIdentifier() -- data isn't an object
      ID (tag = 48)
      at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:134)
      at sun.security.util.DerInputStream.getOID(DerInputStream.java:250)
      at sun.security.pkcs.ContentInfo.<init>(ContentInfo.java:120)
      at sun.security.pkcs.PKCS7.parse(PKCS7.java:136)
      at sun.security.pkcs.PKCS7.parse(PKCS7.java:115)
      ... 8 more
      keytool error: java.security.cert.CertificateException: X509.ObjectIdentifier()
      -- data isn't an object ID (tag = 48)

      Thanks
      Surendra
        • 1. Re: Error Importing Certificate file Using Keytool
          843811
          Is your certificate binary or ASCII? If ASCII, please make sure that the first and last line of it all starts with "-----". Some certificate has extra descriptions before the real data, they must be removed before feeding to keytool.
          • 2. Re: Error Importing Certificate file Using Keytool
            843811
            This is how my certificate file looks like

            -----BEGIN CERTIFICATE-----
            ####################################
            -----END CERTIFICATE-----
            • 3. Re: Error Importing Certificate file Using Keytool
              843811
              Can i Import a public key with RSA (4096 bits ) into the KeyStore Will it cause any problem. Is that the cause of the exception ??

              What do i need to do if i am provided with such kind of certificate ??

              Does the certificate needs to be reissued so that a 1024 Bit private key(keyEntry) can be generated.

              Thanks and appreciate your response

              Surendra
              • 4. Re: Error Importing Certificate file Using Keytool
                843811
                When keytool tries to do a certificate import, it first tries the X.509 format, and then the PKCS 7 format. Looking at your error output, keytool already goes to the 2nd phase (trying PKCS 7). However, the ---BEGIN CERTIFICATE---- shows it should be more likely an X.509 format, and the error message shows the 1st byte is 48, which looks even more likely an X.509.

                So I suspect the file is X.509 but the parsing process has some error and keytool fallback to PKCS7. Can you try "keytool -printcert" your file? This should reveal the X.509 parsing error.
                • 5. Re: Error Importing Certificate file Using Keytool
                  843811
                  Just see your new post, I don't think it's the 4096 reason.
                  • 6. Re: Error Importing Certificate file Using Keytool
                    843811
                    It failed the printcert command So its failing the second step in the PKCS7 parsing.

                    C:\j2sdk1.4.2_08\jre\lib\security>keytool -printcert -file SOTROOT.cer
                    sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an obj
                    ect ID (tag = 48)
                    at sun.security.pkcs.PKCS7.parse(PKCS7.java:118)
                    at sun.security.pkcs.PKCS7.<init>(PKCS7.java:68)
                    at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.ja
                    va:530)
                    at sun.security.provider.X509Factory.engineGenerateCertificates(X509Fact
                    ory.java:407)
                    at java.security.cert.CertificateFactory.generateCertificates(Certificat
                    eFactory.java:511)
                    at sun.security.tools.KeyTool.doPrintCert(KeyTool.java:1021)
                    at sun.security.tools.KeyTool.doCommands(KeyTool.java:539)
                    at sun.security.tools.KeyTool.run(KeyTool.java:124)
                    at sun.security.tools.KeyTool.main(KeyTool.java:118)
                    Caused by: java.io.IOException: X509.ObjectIdentifier() -- data isn't an object
                    ID (tag = 48)
                    at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:134)
                    at sun.security.util.DerInputStream.getOID(DerInputStream.java:250)
                    at sun.security.pkcs.ContentInfo.<init>(ContentInfo.java:120)
                    at sun.security.pkcs.PKCS7.parse(PKCS7.java:136)
                    at sun.security.pkcs.PKCS7.parse(PKCS7.java:115)
                    ... 8 more
                    keytool error: java.lang.Exception: Failed to parse input
                    • 7. Re: Error Importing Certificate file Using Keytool
                      843811
                      Sorry, I didn't realize that printcert also try the PKCS 7 format. Can you try this little program?
                      http://www.exampledepot.com/egs/java.security.cert/ImportCert.html
                      • 8. Re: Error Importing Certificate file Using Keytool
                        843811
                        I am getting the following exception

                        Certificate Exception :java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
                        • 9. Re: Error Importing Certificate file Using Keytool
                          843811
                          Can you show the full stack trace for the exception?
                          • 10. Re: Error Importing Certificate file Using Keytool
                            843811
                            java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
                                 at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
                                 at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1679)
                                 at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:173)
                                 at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:101)
                                 at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
                                 at us.tn.state.trust.service.LDAPTest.importCertificate(LDAPTest.java:31)
                                 at us.tn.state.trust.service.LDAPTest.main(LDAPTest.java:19)
                            Caused by: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
                                 at sun.security.x509.X509Key.parse(X509Key.java:155)
                                 at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:58)
                                 at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:706)
                                 at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:153)
                                 ... 6 more
                            • 11. Re: Error Importing Certificate file Using Keytool
                              843811
                              Can you post your cert here?
                              • 12. Re: Error Importing Certificate file Using Keytool
                                843811
                                -----BEGIN CERTIFICATE-----
                                MIIHezCCBWOgAwIBAgIQEdE5AWMMyrJKS9NSM4/mTjANBgkqhkiG9w0BAQUFADCB
                                hzESMBAGCgmSJomT8ixkARkWAnVzMRIwEAYKCZImiZPyLGQBGRYCdG4xFTATBgoJ
                                kiaJk/IsZAEZFgVzdGF0ZTETMBEGCgmSJomT8ixkARkWA2FkczExMC8GA1UEAxMo
                                U3RhdGUgb2YgVGVubmVzc2VlIE9JUiBMQU4gRW50ZXJwcmlzZSBDQTAeFw0wNTA3
                                MjIxNzMyMzRaFw0yNTA3MjIxNzM5MDBaMIGHMRIwEAYKCZImiZPyLGQBGRYCdXMx
                                EjAQBgoJkiaJk/IsZAEZFgJ0bjEVMBMGCgmSJomT8ixkARkWBXN0YXRlMRMwEQYK
                                CZImiZPyLGQBGRYDYWRzMTEwLwYDVQQDEyhTdGF0ZSBvZiBUZW5uZXNzZWUgT0lS
                                IExBTiBFbnRlcnByaXNlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
                                AgEAqeMoUh0TYm15rQqbhGONvV9GDVjI2ZSj++0tGkshejQnEKvdH5DiYE7J5eCh
                                SgVquYjT+XTob9v3nZZJ22xfGp2/BHCReQYzIl0JPv2wfHfbXhwn4oOVj9KKfLh7
                                ICPacLfW7WC3GbVYcGha8U+TSl1167TIkyuhxY8EU968nxrFXzF4pvX6np/sEQ/2
                                YJWxsEaWOCvv8iDRgPPBWM6xJ+40M7SU01KhEC5l7/oc355uLd5dRTZl5ndbpbxo
                                77P2f1LglP+7M2AdB1krQRujXOg3PWyo+lg7k7zzZ57R6t4gRqU+knlyLSHWeyZi
                                ZgANem1R2XKd5qYw56Rx0QMMNdCo1c2gC7YhY5F9Sp4T8uvFK73UQ4dbP8EcG+QY
                                vPu7SZ19fms0/B7XGhb+1LzkQ+XhfldJudVjLi0g/olCRabIuqXbh2zLTSiypNR1
                                pczPk/A+WkZfXcZd97MXGDxxkLQ/8uFUqRSaJ8ZrVdFR+GxiGmHLA3/JYq+yxoG8
                                PJJaFJqrK4kF6KR2nsqZiIWYMrjGP3HIdt811wckKUBxHGtHLWRczEp4MtAGXvVH
                                YN9o1AqoqcOM5j9yneIhb8o1mZ/WuboxCo305RqQdb2jYAZO543x1xLSILCzG6T+
                                WafyCnuHhIytxvfXhlrIFR17V4/hseWxyawiPzASvA3IdiECAwEAAaOCAd8wggHb
                                MBMGCSsGAQQBgjcUAgQGHgQAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTAD
                                AQH/MB0GA1UdDgQWBBRGjU7SK13t2bJ7paafu+/VXaWHGDCCAXMGA1UdHwSCAWow
                                ggFmMIIBYqCCAV6gggFahoHsbGRhcDovLy9DTj1TdGF0ZSUyMG9mJTIwVGVubmVz
                                c2VlJTIwT0lSJTIwTEFOJTIwRW50ZXJwcmlzZSUyMENBLENOPUFHMDMxOTAwNldJ
                                MDk5LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNl
                                cyxDTj1Db25maWd1cmF0aW9uLERDPWFkcyxEQz1zdGF0ZSxEQz10bixEQz11cz9j
                                ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
                                dHJpYnV0aW9uUG9pbnSGaWh0dHA6Ly9hZzAzMTkwMDZ3aTA5OS5hZHMuc3RhdGUu
                                dG4udXMvQ2VydEVucm9sbC9TdGF0ZSUyMG9mJTIwVGVubmVzc2VlJTIwT0lSJTIw
                                TEFOJTIwRW50ZXJwcmlzZSUyMENBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkq
                                hkiG9w0BAQUFAAOCAgEAF6yqWNRADL8egzxEsXguUEPder/yweTyKuNU88AwwfJH
                                4rdJmofugiFHdzs5DPwtw87PBkOooJ8A05ZXYn9YIIdlDfmuiLdu3V1hDRRSD7Py
                                7VC3YjZjEoOzCIznK9oJMz/ovH5ay7lxtGSs8FFv4xLlHOhkTCEL8ePBdT8OKB2m
                                l0Ih2Oe//cX3WN4YBBvvGw1ILJCvxIb1veMBWdNez8dgcEoY1c4tA9kfuC9WX5Xc
                                LkOmwFnjDUSGlJ6WGrlBPCDlK8cu9Ve650kg5ovJT11g32HmzUM5OgAAdJEZl7lc
                                Jnf+i//OZdNRVsGOUlCEDNnwBKKb7dInfs9q9FxLgVAeHOeQnFj2VGubxwGYPmWp
                                EYcWH4QKfUxNI5j7KIVPt5yn50F9V/Ia18Jt57JIC/Zzb3vRmhPROxsbaAg3PQBF
                                KmAmV97swoh0B7fVDxF6LjnzH7LAoyb5l//MhDo/2qABTLJFeuhlRmTxug/ZvMFL
                                X2Ha3j/CsgcmgKKVelGwU8ETlHXmwF9qfkg3uIA4ttLk/QTmTIgPRlamWBBxWUjK
                                1LoNNgIFYzmPoqlJrqri/q5SUahpVZyXKGRhM6eqAHH8mjIJ7gVDn7L6TmyFlxtK
                                JWBXU7eLlPAvj004ZP3OyDn/P0P1hzOhU+H1ReWd4i9/4b5Y6iDdnoxGvaX8Vas=
                                -----END CERTIFICATE-----
                                • 13. Re: Error Importing Certificate file Using Keytool
                                  843811
                                  Have a search in JDK 1.4.2 doc and read the restriction here --
                                  http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#AppE

                                  Seems you have to use a later version.
                                  • 14. Re: Error Importing Certificate file Using Keytool
                                    843811
                                    The problem is with the version of the JDK i downloaded 1.5.0_12 and no restrictions version of the JCE.

                                    Thanks for your responses.
                                    1 2 Previous Next