This discussion is archived
1 2 Previous Next 16 Replies Latest reply: Jun 19, 2007 7:58 AM by 843811 RSS

Error Importing Certificate file Using Keytool

843811 Newbie
Currently Being Moderated
Hello Folks

I am trying to import a certificate file provided by our Ldap Admin,
I get the following error

Please let me know if you have an idea why am i getting it.
Does the size of the Key file matter ?? it s around 4kb

C:\j2sdk1.4.2_08\jre\lib\security>keytool -import -alias ldapsecurity -trustcace
rts -file SOTROOT.cer -storepass changeit -noprompt -keystore ldapstore
sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an obj
ect ID (tag = 48)
at sun.security.pkcs.PKCS7.parse(PKCS7.java:118)
at sun.security.pkcs.PKCS7.<init>(PKCS7.java:68)
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.ja
va:530)
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Fact
ory.java:407)
at java.security.cert.CertificateFactory.generateCertificates(Certificat
eFactory.java:511)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1193)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:504)
at sun.security.tools.KeyTool.run(KeyTool.java:124)
at sun.security.tools.KeyTool.main(KeyTool.java:118)
Caused by: java.io.IOException: X509.ObjectIdentifier() -- data isn't an object
ID (tag = 48)
at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:134)
at sun.security.util.DerInputStream.getOID(DerInputStream.java:250)
at sun.security.pkcs.ContentInfo.<init>(ContentInfo.java:120)
at sun.security.pkcs.PKCS7.parse(PKCS7.java:136)
at sun.security.pkcs.PKCS7.parse(PKCS7.java:115)
... 8 more
keytool error: java.security.cert.CertificateException: X509.ObjectIdentifier()
-- data isn't an object ID (tag = 48)

Thanks
Surendra
  • 1. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    Is your certificate binary or ASCII? If ASCII, please make sure that the first and last line of it all starts with "-----". Some certificate has extra descriptions before the real data, they must be removed before feeding to keytool.
  • 2. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    This is how my certificate file looks like

    -----BEGIN CERTIFICATE-----
    ####################################
    -----END CERTIFICATE-----
  • 3. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    Can i Import a public key with RSA (4096 bits ) into the KeyStore Will it cause any problem. Is that the cause of the exception ??

    What do i need to do if i am provided with such kind of certificate ??

    Does the certificate needs to be reissued so that a 1024 Bit private key(keyEntry) can be generated.

    Thanks and appreciate your response

    Surendra
  • 4. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    When keytool tries to do a certificate import, it first tries the X.509 format, and then the PKCS 7 format. Looking at your error output, keytool already goes to the 2nd phase (trying PKCS 7). However, the ---BEGIN CERTIFICATE---- shows it should be more likely an X.509 format, and the error message shows the 1st byte is 48, which looks even more likely an X.509.

    So I suspect the file is X.509 but the parsing process has some error and keytool fallback to PKCS7. Can you try "keytool -printcert" your file? This should reveal the X.509 parsing error.
  • 5. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    Just see your new post, I don't think it's the 4096 reason.
  • 6. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    It failed the printcert command So its failing the second step in the PKCS7 parsing.

    C:\j2sdk1.4.2_08\jre\lib\security>keytool -printcert -file SOTROOT.cer
    sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an obj
    ect ID (tag = 48)
    at sun.security.pkcs.PKCS7.parse(PKCS7.java:118)
    at sun.security.pkcs.PKCS7.<init>(PKCS7.java:68)
    at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.ja
    va:530)
    at sun.security.provider.X509Factory.engineGenerateCertificates(X509Fact
    ory.java:407)
    at java.security.cert.CertificateFactory.generateCertificates(Certificat
    eFactory.java:511)
    at sun.security.tools.KeyTool.doPrintCert(KeyTool.java:1021)
    at sun.security.tools.KeyTool.doCommands(KeyTool.java:539)
    at sun.security.tools.KeyTool.run(KeyTool.java:124)
    at sun.security.tools.KeyTool.main(KeyTool.java:118)
    Caused by: java.io.IOException: X509.ObjectIdentifier() -- data isn't an object
    ID (tag = 48)
    at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:134)
    at sun.security.util.DerInputStream.getOID(DerInputStream.java:250)
    at sun.security.pkcs.ContentInfo.<init>(ContentInfo.java:120)
    at sun.security.pkcs.PKCS7.parse(PKCS7.java:136)
    at sun.security.pkcs.PKCS7.parse(PKCS7.java:115)
    ... 8 more
    keytool error: java.lang.Exception: Failed to parse input
  • 7. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    Sorry, I didn't realize that printcert also try the PKCS 7 format. Can you try this little program?
    http://www.exampledepot.com/egs/java.security.cert/ImportCert.html
  • 8. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    I am getting the following exception

    Certificate Exception :java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
  • 9. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    Can you show the full stack trace for the exception?
  • 10. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    java.security.cert.CertificateParsingException: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
         at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:155)
         at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1679)
         at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:173)
         at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:101)
         at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
         at us.tn.state.trust.service.LDAPTest.importCertificate(LDAPTest.java:31)
         at us.tn.state.trust.service.LDAPTest.main(LDAPTest.java:19)
    Caused by: java.io.IOException: subject key, Unknown key spec: Invalid RSA modulus size.
         at sun.security.x509.X509Key.parse(X509Key.java:155)
         at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:58)
         at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:706)
         at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:153)
         ... 6 more
  • 11. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    Can you post your cert here?
  • 12. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    -----BEGIN CERTIFICATE-----
    MIIHezCCBWOgAwIBAgIQEdE5AWMMyrJKS9NSM4/mTjANBgkqhkiG9w0BAQUFADCB
    hzESMBAGCgmSJomT8ixkARkWAnVzMRIwEAYKCZImiZPyLGQBGRYCdG4xFTATBgoJ
    kiaJk/IsZAEZFgVzdGF0ZTETMBEGCgmSJomT8ixkARkWA2FkczExMC8GA1UEAxMo
    U3RhdGUgb2YgVGVubmVzc2VlIE9JUiBMQU4gRW50ZXJwcmlzZSBDQTAeFw0wNTA3
    MjIxNzMyMzRaFw0yNTA3MjIxNzM5MDBaMIGHMRIwEAYKCZImiZPyLGQBGRYCdXMx
    EjAQBgoJkiaJk/IsZAEZFgJ0bjEVMBMGCgmSJomT8ixkARkWBXN0YXRlMRMwEQYK
    CZImiZPyLGQBGRYDYWRzMTEwLwYDVQQDEyhTdGF0ZSBvZiBUZW5uZXNzZWUgT0lS
    IExBTiBFbnRlcnByaXNlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
    AgEAqeMoUh0TYm15rQqbhGONvV9GDVjI2ZSj++0tGkshejQnEKvdH5DiYE7J5eCh
    SgVquYjT+XTob9v3nZZJ22xfGp2/BHCReQYzIl0JPv2wfHfbXhwn4oOVj9KKfLh7
    ICPacLfW7WC3GbVYcGha8U+TSl1167TIkyuhxY8EU968nxrFXzF4pvX6np/sEQ/2
    YJWxsEaWOCvv8iDRgPPBWM6xJ+40M7SU01KhEC5l7/oc355uLd5dRTZl5ndbpbxo
    77P2f1LglP+7M2AdB1krQRujXOg3PWyo+lg7k7zzZ57R6t4gRqU+knlyLSHWeyZi
    ZgANem1R2XKd5qYw56Rx0QMMNdCo1c2gC7YhY5F9Sp4T8uvFK73UQ4dbP8EcG+QY
    vPu7SZ19fms0/B7XGhb+1LzkQ+XhfldJudVjLi0g/olCRabIuqXbh2zLTSiypNR1
    pczPk/A+WkZfXcZd97MXGDxxkLQ/8uFUqRSaJ8ZrVdFR+GxiGmHLA3/JYq+yxoG8
    PJJaFJqrK4kF6KR2nsqZiIWYMrjGP3HIdt811wckKUBxHGtHLWRczEp4MtAGXvVH
    YN9o1AqoqcOM5j9yneIhb8o1mZ/WuboxCo305RqQdb2jYAZO543x1xLSILCzG6T+
    WafyCnuHhIytxvfXhlrIFR17V4/hseWxyawiPzASvA3IdiECAwEAAaOCAd8wggHb
    MBMGCSsGAQQBgjcUAgQGHgQAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTAD
    AQH/MB0GA1UdDgQWBBRGjU7SK13t2bJ7paafu+/VXaWHGDCCAXMGA1UdHwSCAWow
    ggFmMIIBYqCCAV6gggFahoHsbGRhcDovLy9DTj1TdGF0ZSUyMG9mJTIwVGVubmVz
    c2VlJTIwT0lSJTIwTEFOJTIwRW50ZXJwcmlzZSUyMENBLENOPUFHMDMxOTAwNldJ
    MDk5LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNl
    cyxDTj1Db25maWd1cmF0aW9uLERDPWFkcyxEQz1zdGF0ZSxEQz10bixEQz11cz9j
    ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
    dHJpYnV0aW9uUG9pbnSGaWh0dHA6Ly9hZzAzMTkwMDZ3aTA5OS5hZHMuc3RhdGUu
    dG4udXMvQ2VydEVucm9sbC9TdGF0ZSUyMG9mJTIwVGVubmVzc2VlJTIwT0lSJTIw
    TEFOJTIwRW50ZXJwcmlzZSUyMENBLmNybDAQBgkrBgEEAYI3FQEEAwIBADANBgkq
    hkiG9w0BAQUFAAOCAgEAF6yqWNRADL8egzxEsXguUEPder/yweTyKuNU88AwwfJH
    4rdJmofugiFHdzs5DPwtw87PBkOooJ8A05ZXYn9YIIdlDfmuiLdu3V1hDRRSD7Py
    7VC3YjZjEoOzCIznK9oJMz/ovH5ay7lxtGSs8FFv4xLlHOhkTCEL8ePBdT8OKB2m
    l0Ih2Oe//cX3WN4YBBvvGw1ILJCvxIb1veMBWdNez8dgcEoY1c4tA9kfuC9WX5Xc
    LkOmwFnjDUSGlJ6WGrlBPCDlK8cu9Ve650kg5ovJT11g32HmzUM5OgAAdJEZl7lc
    Jnf+i//OZdNRVsGOUlCEDNnwBKKb7dInfs9q9FxLgVAeHOeQnFj2VGubxwGYPmWp
    EYcWH4QKfUxNI5j7KIVPt5yn50F9V/Ia18Jt57JIC/Zzb3vRmhPROxsbaAg3PQBF
    KmAmV97swoh0B7fVDxF6LjnzH7LAoyb5l//MhDo/2qABTLJFeuhlRmTxug/ZvMFL
    X2Ha3j/CsgcmgKKVelGwU8ETlHXmwF9qfkg3uIA4ttLk/QTmTIgPRlamWBBxWUjK
    1LoNNgIFYzmPoqlJrqri/q5SUahpVZyXKGRhM6eqAHH8mjIJ7gVDn7L6TmyFlxtK
    JWBXU7eLlPAvj004ZP3OyDn/P0P1hzOhU+H1ReWd4i9/4b5Y6iDdnoxGvaX8Vas=
    -----END CERTIFICATE-----
  • 13. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    Have a search in JDK 1.4.2 doc and read the restriction here --
    http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#AppE

    Seems you have to use a later version.
  • 14. Re: Error Importing Certificate file Using Keytool
    843811 Newbie
    Currently Being Moderated
    The problem is with the version of the JDK i downloaded 1.5.0_12 and no restrictions version of the JCE.

    Thanks for your responses.
1 2 Previous Next