Reading X.509 Certificate in Java: How to Handle Format Issue

I got into a very interesting problem while writing code to read a X.509 certificate. It’s a standard PEM encoded certificate (shown below) as you would find anywhere else.

-----BEGIN CERTIFICATE-----IBAgIJAKMIIDRTCCAi2gAwlwrFcAdHQtMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xNDAyMjExMzM4NTBaFw0yNDAyMTkxMzM4NTBaMCAxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPFUHIMCZdvngHxBhSPf2LezpXTzQ7cOsfv2G0xVBJjkYKfffLxKmm0S3/ZEeGoXz1x/kQUoohYMf4ormOZwO+XL/9aVvj569t8siykGa0u15vAl2JASbHdGtzccD7V/3sz9rW5lLGq+ZsdU4n9r0opwSwlr6dSkWmv2OC8joSxwGWVbZREWi5j0vf/F76WjTSNHIruJpeST476UFBVrh633cwRoJoyDkuvM2lpze1WGBLKqk/kmGcnpBsjdDLGDKHgxlou3BstBjuq6nYaFAV1zHCc9SyM0KmZs8UJ5TX/3vnpxCyCMbcz9mGYU8Z+6eKVLG3xT7iWQsf1JZZMVwPUCAwEAAaOBgTB/MB0GA1UdDgQWBBRQc0tKrMgUvO6ne29Yfvp7U/28iDBQBgNVHSMESTBHgBRQc0tKrMgUvO6ne29Yfvp7U/28iKEkpCIwIDEeMBwGA1UEAxMVbG9jYWxob3N0LmxvY2FsZG9tYWluggkAqXCsVwB0dC0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAVn+5vniECIvs4IdW+Ix556daxP7mu7Xu1AoUxtMCXkwGovkuQvguabd+WAV2nQKVEdCC9b61mGQAueCHWaONGV2ZkMIHh5uoheiX8QAkbxjYijXlqS7bPbFW9faF8icrXg1rKuRTW/rt7WVL7FER/88zU65b5HCzyXfRrb48E4xBBpSc/QE/zgtHWqxeFG/+FJvJBRlXtxDZRWbLCy0HhZf0SvcPoQ1JqHI0lJC43RQzXrfo9GGVS34wb7Pi+6lYHVnh71zfypXXDrfzKzEJM+zwri6KX+BpSMV9pMqgqeew+Bp95+uKYTY4bnOixW/3X80t+2zMnJqPJ62UhHuKzw==-----END CERTIFICATE-----

Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.

The exception is as follows. It’s pretty clear, but also confusing because the certificate string has included both BEGIN and END. It seems to me very complete. Of course, the program does not lie and we have to trust it most of the time unless there is a bug. Could not parse certificate: Incomplete data

I understand there could be special characters that cannot be displayed in a normal editor. So I used HEX viewer in Notepad++ to check the string and didn’t find much unusual. Instead of further guessing, I decided to search for the source code of the and see what is taken as incomplete by the API.

Quite luckily, I found the following code at github (full source is here)

            // Read BASE64 encoded data, might skip info at the beginning
            char[] data = new char[2048];
            int pos = 0;
            // Step 1: Read until header is found
            int hyphen = (c=='-') ? 1: 0; // count of consequent hyphens
            int last = (c=='-') ? -1: c; // the char before hyphen
            while (true) {
                int next =;
                if (next == -1) {
                    // We accept useless data after the last block,
                    // say, empty lines.
                    return null;
                if (next == '-') {
                } else {
                    hyphen = 0;
                    last = next;
                if (hyphen == 5 && (last==-1 || last=='\r' || last=='\n')) {
            // Step 2: Read the rest of header, determine the line end
            int end;
            StringBuffer header = new StringBuffer("-----");
            while (true) {
                int next =;
                if (next == -1) {
                    throw new IOException("Incomplete data");

With the source code, it becomes quite clear that the API expects the certificate to have CR or/and LF after the begin mark. In other words, the certificate must have two lines. But my certificate string does not have CR or LF after the begin mark, therefore it continues to look for data with no luck.

The solution to the problem is pretty straight forward – just add one CR or LF (both are OK too, “\r\n” in Java and other languages) after the “—–BEGIN CERTIFICATE—–“.

If you read the string from some sources that do not have CRLF, you must insert one (which is a trivial work) to make the Java API happy.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.


  1. Joe Bloe
    Posted May 12, 2015 at 5:55 pm | Permalink

    Thank you! There is no sign of this quirk in the official documentation for these APIs. Your post saved me a lot of time.

  2. Posted May 12, 2015 at 6:27 pm | Permalink

    Thanks for letting me know Joe,
    Glad you find it helpful.

  3. bond
    Posted August 16, 2015 at 12:31 pm | Permalink

    Thanks a lot buddy.

  4. Posted October 6, 2015 at 3:12 pm | Permalink

    Now that’s an “interesting” feature. Spent quite some time on trying to figure out why my perfectly fine certificate string did not work with the CertificateFactory, before Google led me here. Thank you for your post!

  5. Posted October 6, 2015 at 5:43 pm | Permalink

    You are very welcome Erko, glad that it helped.


  6. laura
    Posted October 26, 2015 at 1:58 pm | Permalink

    you share the pem string, the error and the source code for the methods you used, would it be possible to see the actual code was trying to make the cert?

    public static X509Certificate fromStringToX509Certificate(String str) throws CertificateException {
    byte[] bytes =str.getBytes();
    CertificateFactory certFactory = CertificateFactory.getInstance(“X.509”);
    InputStream in = new ByteArrayInputStream(bytes);
    X509Certificate cert = (X509Certificate) certFactory.generateCertificate(in);
    return cert;

    I tried this with my own Pem encoded cert and got the error you described then put in the \r\n and started getting a different error. I threw your Pem encoded cert in (with \r\n) and got a new error , it would be great to see the code. thanks!

  7. Girma Mamuye
    Posted June 6, 2016 at 4:16 am | Permalink

    Thank you very much, you saved my day!

  8. Posted June 6, 2016 at 5:55 pm | Permalink

    You are very welcome Girma, glad it helped.

  9. Posted August 8, 2016 at 12:44 pm | Permalink

    I am also facing Incomplete data, for actual cert content. Not sure how to solve it, since its not working when added CR or LF after BEGIN CERT as follows.
    -----BEGIN CERTIFICATE-----CR\r\n
    Is it possible to post complete cert data to test.

  10. Posted August 23, 2016 at 1:03 pm | Permalink

    Hi Paramesh,

    It’s a while back and I could not find the cert file. You may want to generate one which is quite fast to do.


  11. Aleksandra
    Posted September 20, 2016 at 4:33 am | Permalink

    Saved my day as will, good work! Keep it up.

  12. Pistol Pete
    Posted December 13, 2016 at 4:50 am | Permalink

    Thanks man

One Trackback

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.