+ Start a Discussion

Not able to create keystore for client certificate downloaded from SF.

I am trying to create a keystore (to be used in my web service client). I downloaded the client certificate from sales force and tried to run the keytool application.


keytool -import -file sfdc-client.cert -keystore sfdcclient.keystore -storepass sfdcclient -alias sfdc

Got the error java.lang.Exception: Input not an X.509 certificate

BTW I am using 1.4.1_05. Thought it might be the jre version. I remember reading that early version of 1.4 had some issues. So Tried doing the same thing with 1.5. Still got the same error.

Please help.

the client cert is so that you can verify HTTP requests you _recieve_ from salesforce, not for HTTP requests you _make_ to salesforce. If all you want to do is call the web services API, you don't need the client cert.
Thanks Simon.
The partner WSDL I downloaded for my org has the endpoint as https://...... When I tried to invoke the webservice got an error that said no trusted certificate found. Please advice.
Make sure you're using a fairly recent JRE, some of the older 1.4.x ones have root certs that are now expired.
Ok. I will try with 1.5. So I don't need a keystroe for my WS client?
michael tangmichael tang
I have the same issue, I want to validate the outbound message request come from salesforce, how to work on that? the certificate i downloaded from salesforce can not be imported into java keystore, due to not a x.509 certificate.
Michael Tang

I realize this is an old post, but we were able to successfully use the Salesforce certificate on a Linux box and wanted to share in case anyone else is having the same issue .


The high level advice was provided by Premier Support -- I have added additional details for how to convert using Firefox.


When attempting to use the Salesforce certificate on a Linux box, the certificate must be converted to PEM format first using Open SSL or another tool.

Converting certs to PEM:

Save the Salesforce certificate to a location on your computer.

There are quite a few ways of converting a cert to PEM (Base 64 format):

One of the easiest way is to import a cert into the browser and then export into PEM format.

For this example, I am using the Firefox browser to import and export.

Tools -> Options -> Advanced  ->  Encryption  -> View Certificates

Select Servers or Authorities tab depending on if it is an individual's (or server) certificate or Trusted Authority certificate.

For this example, I chose Servers.

Hit Import and then select the file to import.  (This finishes the import process) Now you should see an entry in the  relevant Servers or Authorities tab. 


Select the file to export.
Hit Export button. When prompted enter the file name you want the export file to be called and select the appropriate Format.


I am using the very recent jre version 6 yet i am getting the ssl exception while calling the sales force api.Please suggest.