Java keytool錯誤：java.lang.Exception：輸入非X.509證書

Question

要與某個服務器建立SSL連接，只要我運行以下命令，然後在窗口中鍵入缺省密碼「changeit」導入Java密鑰庫證書時，出現以下錯誤：

命令：

keytool -import -file "E:\postgrescert\server.crt" -keypass changeit -keystore "C:\Java\JDK\jre\lib\security\cacerts" -alias pgssslninet 

錯誤：

keytool error: java.lang.Exception: Input not an X.509 certificate 

的server.crt這是具有低於內容：

Certificate: 
    Data: 
     Version: 3 (0x2) 
     Serial Number: 
      a1:ea:8c:61:61:0a:7d:69 
     Signature Algorithm: sha1WithRSAEncryption 
     Issuer: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/emailAddress=xyz.some@org.com 
     Validity 
      Not Before: Jun 14 23:59:25 2013 GMT 
      Not After : Jul 14 23:59:25 2013 GMT 
     Subject: C=US, ST=CA, L=fg, O=XYZ, OU=IT, CN=Common Name/emailAddress=xyz.some@org.com 
     Subject Public Key Info: 
      Public Key Algorithm: rsaEncryption 
       Public-Key: (2048 bit) 
       Modulus: 
        00:de:7c:dd:6e:5f:98:85:52:b4:13:45:2d:69:26: 
        61:6c:d7:ad:d6:12:27:bf:e1:07:53:a4:76:27:29: 
        ca:3d:82:e5:63:8c:9e:a5:b0:24:f6:77:86:92:ab: 
        42:e5:26:8a:4a:ea:ea:4a:65:20:a1:3b:05:c7:e0: 
        31:8e:4c:6e:e5:9e:e4:9c:de:05:02:b3:59:70:00: 
        df:fb:b9:62:e1:5b:8e:1b:29:2d:7c:41:86:41:a9: 
        9e:24:f8:65:54:8c:cf:44:c4:7b:fa:12:b4:84:d1: 
        d7:d7:2f:14:32:f9:2e:7b:c2:d8:0b:35:c9:f5:8b: 
        64:ed:cf:84:6e:bf:97:d0:44:7b:6b:67:c6:5b:6f: 
        92:5d:f6:d7:01:b6:ba:96:37:c8:3b:f8:be:01:b5: 
        02:d1:6b:21:67:83:c8:fd:37:bd:70:e5:c1:e4:81: 
        b0:42:a9:04:b1:3d:33:4c:43:2b:33:cc:50:65:1e: 
        c0:15:8d:e3:5f:b0:9c:d9:04:09:18:e7:8f:80:56: 
        6f:45:1d:0a:c2:2d:02:7e:67:2a:8a:1b:73:4a:db: 
        80:e0:52:d6:33:23:c7:aa:48:b0:5c:ad:7f:8c:96: 
        7c:d4:84:61:4d:ae:d3:9c:ef:59:c1:bd:71:83:c3: 
        5e:a4:04:84:8f:cd:76:82:3a:86:43:ab:c1:f4:e9: 
        02:d5 
       Exponent: 65537 (0x10001) 
     X509v3 extensions: 
      X509v3 Subject Key Identifier: 
       C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7 
      X509v3 Authority Key Identifier: 
       keyid:C1:4F:FA:2E:8F:F3:36:FE:AE:9B:12:73:C7:08:C9:59:96:53:71:A7 

      X509v3 Basic Constraints: 
       CA:TRUE 
    Signature Algorithm: sha1WithRSAEncryption 
     6b:2f:5f:33:f8:bb:55:66:c3:48:c9:ae:64:c1:89:5b:e1:54: 
     9a:bc:ae:34:87:7e:bc:e7:30:26:9e:65:58:42:79:19:e2:ee: 
     93:2a:c7:2d:a9:45:b4:1c:7b:5f:5a:ec:12:e3:76:38:c5:44: 
     aa:7f:bd:60:b6:a6:83:90:68:9d:8f:1c:7a:69:4a:58:a8:55: 
     5a:36:9e:e3:69:76:50:0e:4c:30:54:11:4c:de:10:91:6f:aa: 
     49:34:19:1c:96:cb:8a:6c:fd:df:19:ed:e1:84:2b:05:12:68: 
     e6:af:c5:59:c2:61:ca:10:2c:8e:cc:0a:34:7e:08:e5:22:ac: 
     01:fd:fc:4d:16:4f:66:29:58:ac:8e:25:79:3d:de:b6:ef:55: 
     6e:26:c5:75:9d:6d:57:4e:02:89:b8:c1:b8:47:b7:09:9b:07: 
     cf:5b:a3:bc:a3:6b:ef:a1:4c:95:a0:be:0f:d4:63:fe:35:c6: 
     c6:42:10:0b:28:13:02:a3:6e:b3:bf:ae:57:a8:bd:a1:25:6a: 
     2d:cd:c7:20:64:4b:2e:f2:b2:c9:5c:85:cf:6f:de:39:86:84: 
     94:d3:01:c5:25:b7:ec:65:1b:5f:93:ec:9d:cc:81:fa:c7:34: 
     fc:e4:e2:5c:3f:4b:cc:83:bb:f0:67:88:1f:f6:a1:3b:9e:00: 
     7b:ba:b2:79 
-----BEGIN CERTIFICATE----- 
MIID7zCCAtegAwIBAgIJAKHqjGFhCn1pMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD 
VQQGEwJVUzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB0ZyZW1vbnQxEjAQBgNVBAoM 
CURhdGFndWlzZTELMAkGA1UECwwCSVQxFDASBgNVBAMMC0NvbW1vbiBOYW1lMSgw 
JgYJKoZIhvcNAQkBFhlzcmluaS5zdWJyYUBkYXRhZ3Vpc2UuY29tMB4XDTEzMDYx 
NDIzNTkyNVoXDTEzMDcxNDIzNTkyNVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI 
DAJDQTEQMA4GA1UEBwwHRnJlbW9udDESMBAGA1UECgwJRGF0YWd1aXNlMQswCQYD 
VQQLDAJJVDEUMBIGA1UEAwwLQ29tbW9uIE5hbWUxKDAmBgkqhkiG9w0BCQEWGXNy 
aW5pLnN1YnJhQGRhdGFndWlzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 
ggEKAoIBAQDefN1uX5iFUrQTRS1pJmFs163WEie/4QdTpHYnKco9guVjjJ6lsCT2 
d4aSq0LlJopK6upKZSChOwXH4DGOTG7lnuSc3gUCs1lwAN/7uWLhW44bKS18QYZB 
qZ4k+GVUjM9ExHv6ErSE0dfXLxQy+S57wtgLNcn1i2Ttz4Ruv5fQRHtrZ8Zbb5Jd 
9tcBtrqWN8g7+L4BtQLRayFng8j9N71w5cHkgbBCqQSxPTNMQyszzFBlHsAVjeNf 
sJzZBAkY54+AVm9FHQrCLQJ+ZyqKG3NK24DgUtYzI8eqSLBcrX+MlnzUhGFNrtOc 
71nBvXGDw16kBISPzXaCOoZDq8H06QLVAgMBAAGjUDBOMB0GA1UdDgQWBBTBT/ou 
j/M2/q6bEnPHCMlZllNxpzAfBgNVHSMEGDAWgBTBT/ouj/M2/q6bEnPHCMlZllNx 
pzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBrL18z+LtVZsNIya5k 
wYlb4VSavK40h3685zAmnmVYQnkZ4u6TKsctqUW0HHtfWuwS43Y4xUSqf71gtqaD 
kGidjxx6aUpYqFVaNp7jaXZQDkwwVBFM3hCRb6pJNBkclsuKbP3fGe3hhCsFEmjm 
r8VZwmHKECyOzAo0fgjlIqwB/fxNFk9mKVisjiV5Pd6271VuJsV1nW1XTgKJuMG4 
R7cJmwfPW6O8o2vvoUyVoL4P1GP+NcbGQhALKBMCo26zv65XqL2hJWotzccgZEsu 
8rLJXIXPb945hoSU0wHFJbfsZRtfk+ydzIH6xzT85OJcP0vMg7vwZ4gf9qE7ngB7 
urJ5 
-----END CERTIFICATE----- 

誰能幫我找到這個錯誤背後的確切問題。

PS：當我刪除-----BEGIN CERTIFICATE-----以上的所有東西時，它會成功導入。是否真的需要以上信息-----BEGIN CERTIFICATE-----。請幫忙。

問候，

阿倫

Answer 1

Can anyone help me to locate the exact issue behind this error.

Keytool可處理兩種格式。一種是ASN.1/DER編碼，它看起來像十六進制編輯器下的二進制數據。另一種是RFC 1421，證書編碼標準，它是證書的Base64編碼。請參閱Solaris站點上Keytool的文檔。

When i removed every thing above -----BEGIN CERTIFICATE----- , it get successfully imported. Does the information above -----BEGIN CERTIFICATE----- is really required.

您在上面描述的格式是Internet RFC 1421證書編碼標準。 Keytool應該能夠處理格式。該手冊中明確指出，格式被允許：

Certificates are often stored using the printable encoding format defined by the Internet RFC 1421 standard, instead of their binary encoding. This certificate format, also known as "Base 64 encoding", facilitates exporting certificates to other applications by email or through some other mechanism. ...

Certificates read by the -import and -printcert commands can be in either this format or binary encoded.

在上述中，「格式」是RFC 1421的「二進制編碼」是ASN.1/DER。

---

隨着中說，該證書看起來像一個客戶端證書，因爲它在一個Common Name PKCS＃9電子郵件地址，它沒有一個DNS名稱（如example.com）。還有一個Basic Constraint的CA=TRUE。

在Common Name字段中放置電子郵件地址和DNS名稱已被IETF和CA/B論壇棄用。這些名字應該放在Subject Alternate Name的字段中。使用Common Name作爲友好名稱或顯示名稱，如「John Doe」或「Datametrics」。 Java也似乎遵循IETF標準比大多數其他標準（其他意義工具和庫;而不是標準）更接近。但是RFC往往運行得很快而且鬆散，我不記得PKCS＃9電子郵件地址/ CA=TRUE標誌被禁止。

該問題可能會影響其導入能力。布魯諾或EJP可能會肯定知道。

Answer 2

同樣的問題在這裏。我在最後加了一個空行，keytool很高興。