000016662 - RKM Java Client 'Error loading KeyStore' caused by 'java.io.IOException: toDerInputStream rejects tag type 45' or 'java.security.cert.CertificateException: DerInputStream.getLength(): lengthTag=127  too big'

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016662
Applies ToRSA Key Manager Java Client 2.1.3 or later
IssueRKM Java Client throws error "java.io.IOException: toDerInputStream rejects tag type 45"
Sample encrypt/decrypt application in RSA Key Manager Java Client throws the following exception:

Exception in thread "main" com.rsa.kmc.KMException: Error loading KeyStore
   at com.rsa.kmc.x.af.a(Unknown Source)
   at com.rsa.kmc.x.af.a(Unknown Source)
   at com.rsa.kmc.x.af.a(Unknown Source)
   at com.rsa.kmc.KMConfig.<init>(Unknown Source)
   at rkmjc.simpleapi.EncryptAndDecryptData.run(EncryptAndDecryptData.java:37)
   at rkmjc.simpleapi.EncryptAndDecryptData.main(EncryptAndDecryptData.java:68)
Caused by: java.io.IOException: toDerInputStream rejects tag type 45
   at sun.security.util.DerValue.toDerInputStream(Unknown Source)
   at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(Unknown Source)
   at java.security.KeyStore.load(Unknown Source)
   ... 6 more
java.security.cert.CertificateException: DerInputStream.getLength(): lengthTag=127, too big
CauseRKM Java Client parses file name provided for pki.server_keystore_file and accordingly assumes the type of contents provided in the file.  If the file extension is not .pem, .der, or .cer, then RKM 2.1.3 Java Client expects the file to be a PKCS#12 or JKS file.  RootCA.crt contained PEM encoded certificate of the CA (Certificate Authority) that signed webserver server certificate.
ResolutionRename RootCA.crt to RootCA.pem (as it contains PEM encoded certificate) and correctly point pki.server_keystore_file to the renamed file.  For example, the parameter in sample_config.properties may look like:


If .pem is already being used correctly as described above, ensure that the .pem file does not have more than one empty line after the pem encoded certificate footer "-----END CERTIFICATE-----".

"If you see the exception "java.security.cert.CertificateException: DerInputStream.getLength(): lengthTag=127, too big", there is an extraneous newline in the certificate file after the last line. Delete it and try again."
WorkaroundTesting RKM Java Client against a fresh installation of RSA Key Manager Server 2.1.3.  Configured the certificate parameters in sample_config.properties as follows:

# Name of the client key store file with absolute or relative path

# Name of the server key store file with absolute or relative path
Legacy Article IDa40406