JavaEar 专注于收集分享传播有价值的技术资料

Key protection algorithm not found: Certificate chain is not validate

I'm getting this error when I try to create a JKS file, write it to disk, then run keytool to convert it to a P12. The reason I'm going this route is because I cannot get a P12 that works for iOS in code (not a crypto person). There was enough code out there to create a JKS. To create my end credential, I'm doing this:

public X509Certificate buildEndEntityCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert, String clientName)
        throws Exception {
    String name = "CN=" + clientName;
    X509v3CertificateBuilder certBldr = new JcaX509v3CertificateBuilder(
            new Date(System.currentTimeMillis()),
            new Date(System.currentTimeMillis() + VALIDITY_PERIOD),
            new X500Principal(name),

    JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();

    certBldr.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
            .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKey))
            .addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
            .addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation))
            .addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));

    ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(caKey);

    return new JcaX509CertificateConverter().setProvider("BC").getCertificate(;

I call that method and create the JKS like this:

KeyPair endPair = generateRSAKeyPair(2048);
X509Certificate endCert = buildEndEntityCert(endPair.getPublic(), intermediateCredential.getPrivateKey(), intermediateCredential.getCertificate(), clientName);  // intermediateCredential and rootCredential are properties of this class that get loaded when the app starts up
X500PrivateCredential endCredential = new X500PrivateCredential(endCert, endPair.getPrivate(), clientName);

KeyStore store = KeyStore.getInstance("JKS");
store.load(null, null);
store.setKeyEntry(clientName, endCredential.getPrivateKey(), "secret".toCharArray(),
        new Certificate[]{
        }); FileOutputStream(clientName + ".jks"), "secret".toCharArray());

Then when I run keytool from ProcessBuilder:

"C:\\Program Files\\Java\\jdk1.7.0_80\\bin\\keytool",     
                clientName + ".jks",
                clientName + ".p12",
                "-srcstoretype", "JKS",
                "-deststoretype", "PKCS12",

I get Problem importing entry for alias CLIENT_NAME: Key protection algorithm not found: Certificate chain is not validate. I tried googling this but did not find much info. Can someone tell me what this means or if they see something obvious that I am doing wrong? Thanks in advance.


  1. I would like you to the following steps (suppose the name of the jks file is abc.jks)

    1. Paste the abc.jks file in the bin folder of java where keytool.exe file is present (e.g. C:\Program Files (x86)\Java\jre1.8.0_121\bin)
    2. Run this command keytool -keystore abc.jks -list -v and enter the password
    3. Now you will need to check the following content in it A. Entry type (It should be private, if it is not a then you don't have the key) B. Certificate chain (It should be 3, if it is one then you need to import the CA certificates)

    you can confirm the same in the image enter image description here

    You can use the this command to convert the jks to pfx keytool -importkeystore -srckeystore abc.jks -srcstoretype jks -destkeystore xyz.pfx -deststoretype pkcs12 (I will recommend to paste the abc.jks in the bin folder of java) at the end you need to change the extension to P12