Java APNS Certificate Error with "DerInputStream.getLength(): lengthTag=109, too big." derinputstream.getlength() lengthtag=109 too big. pkcs12
java io ioexception error decoding pkcs 12 input
keytool error: java security cert certificateexception no certificate data found
keytool error java io ioexception encoding bytes too short
an io exception has occurred derinputstream getlength lengthtag=127, too big
keytool error: java security keystoreexception pkcs7 not found
keytool error java io ioexception pkcs12 keystore not in version 3 format
lengthtag=111, too big

When I try to using java APNS to send the push notification to iOS, I got this error message:

com.notnoop.exceptions.InvalidSSLConfig: DerInputStream.getLength(): lengthTag=109, too big.

I already try converting the certificate to Personal Information Exchange (.p12) also getting the same error. Anyone know to problem and how to resolve it?

Here are my java code:

ApnsService service =
   .withCert("src/net/notification/ck.jks", "******")

String payload = APNS.newPayload().alertBody(record.getSendMsg()).build();
String token = record.getToken();
service.push(token, payload);


I had the same problem but my solution will help you only if you are using maven.

Maven resource filtering (that let's you include variables in your resource files) can mess up your binaries - and certificates are especially sensitive to modification.

In general, binary content shouldn't be filtered. But I couldn't just simply disable resource filtering because I have some .properties files that include variables. So the solution was to exclude .p12 files from filtering.


More about maven resource filtering:

Java APNS Certificate Error with "DerInputStream , I had the same problem but my solution will help you only if you are using maven. Maven resource filtering (that let's you include variables in  It could also be that the app needs signing with your own certificate to install. There are various tutorials on google on how to go about this. If you find my post helpful please click the green star on the left under the avatar.

This occurs because the system thinks you are trying to read a different type of keystore and not JKS. You will need to specify that the file is JKS or convert it to the other format.

I see that you have already tried converting to .p12. If you did this correctly, perhaps there is some other default format. I recommend finding out how to specify JKS instead.

Importing An APNs Certificate Into A Java Keystore, If you search for “apns certificate java keystore” online you'll find error-prone, and frustrating process of getting a certificate from Apple into a  APNS services may not work with Notes Traveler ToDo Application for iOS devices. The ToDo application will still be able to sync when opened, but without functioning APNS services the server will not be able to notify the client of pending changes. Problem conclusion. The Notes Traveler server has been updated to resolve this issue. Temporary fix

If you use maven, this is probably occurring because of the Maven filtering in your whole resources folder. I've tried Zsolt Safrany solution above and did not work. However, reading the documentation he shared, I've found this:


Which excludes binary extensions (or any extension you want) from being filtered.

Certificate should contain "push" keyword · Issue #46 · CleverTap , Hi, The apns cert that we are using to send notification doesn't <init>(​ at com.clevertap.apns.clients. It works perfectly fine with Java 6, but using Java 7 causes "certificate_unknown" to be raised during the handshake. The error occurred on Oracle's official JDK 7 on Ubuntu 11.04 x64.

Delete keystoreType line

I don't know WHY this works. But if I have this line in my server.xml..


...then Tomcat will NOT start and give me the DerInputStream.getLength(): lengthTag=109, too big error instead.

But if I DELETE that line then Tomcat will start nicely. No idea why that works. Feels dirty.

Set up the certificates, How to set up the SSL and Apple Push Notification Services (APNS) stores the certificates in the Java keystore located at <WebHelpDesk>/conf/keystore.jks . We would like to show you a description here but the site won’t allow us.

I had this problem and figured out the problem is the truststore.p12 is actually in JKS or corrupted.

The keytool command to test the truststore for PKCS12 compliance is:

keytool.exe -keystore truststore.p12 -storepass passwordText -list -storetype pkcs12
keytool error: DerInputStream.getLength(): lengthTag=109, too big.

I was able to correct this by doing forced JKS to PKCS12 conversion.

With the following instruction:

 keytool.exe -importkeystore -srckeystore truststore.jks  -destkeystore truststore1.p12 -srcstoretype JKS -deststoretype PKCS12

Than successful test would provide something like:

keytool.exe -keystore truststore.p12 -storepass passwordText -list -storetype pkcs12

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 3 entries

certificates-4, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): CF:E3:01:1F:A3:30:C5:B1:B9:2B:C5:28:1B:8C:66:71:EA:B8:67:0D
certificates-3, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
certificates-2, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): FA:5F:98:E8:02:2E:81:05:DB:DF:24:48:65:6A:E5:76:C1:31:CB:28

Sending Push Notification to iPhone using Java, ApnsConnectionImpl - Failed to send message com.notnoop.apns.​EnhancedApnsNotification@62e06b60 trying again​SSLHandshakeException:  Self-signed application (Certificate not from trusted authority) An application with self-signed certificate is blocked by default. Applications of this type present the highest level of risk because publisher is not identified and the application may be granted access to personal data on your computer. Jar file missing Permission Attribute

Java APNS Certificate Error with "DerInputStream , When I try to using java APNS to send the push notification to iOS, I got this error message: com.notnoop.exceptions.InvalidSSLConfig:  froh42 will return to develop for java-apns in October, so I expect the 1.0.0 final to be released start of November. Introduction. java-apns is a Java client for Apple Push Notification service (APNs). The library aims to provide a highly scalable interface to the Apple server, while still being simple and modular.

[PDF] Sophos Mobile Control Installation guide, SMC server provided as Java-Enterprise-Archive inside JBoss. □ Directory for exception and report mails (for example for an expired APNs certificate). 19. When attempting to register, login, or authenticate a token with a CAC users may receive the following error: The JRE (Java Runtime Environment) is not installed or the Java Plug-in is disabled. Get the latest JRE (which includes the Java Plug-in) here if the JRE is not already installed.

Communicating with APNs, If the timestamp for token issue is not within the last hour, APNs rejects You can use your APNs certificate to send notifications to your primary  If the server connection fails during the updating of email address and certificates or during the adding of certificates or applications, the DNS of the site may be unable to resolve the following names, in which case, you should take the following steps: Click Start then Run. Type cmd and click OK.