Certificate is not a X.509 certificate – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 7.7-8.9

Briefly, this error occurs when Elasticsearch is trying to use a certificate that is not in the X.509 standard format. X.509 is a standard defining the format of public key certificates. To resolve this issue, you should ensure that the certificate you’re using is indeed a X.509 certificate. You can convert your existing certificate to X.509 format using OpenSSL or other similar tools. Alternatively, you can obtain a new certificate that is already in X.509 format from a Certificate Authority.

This guide will help you check for common problems that cause the log ” Certificate ({}) is not a X.509 certificate ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “Certificate ({}) is not a X.509 certificate” class name is SamlServiceProviderDocument.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 if (certificates.size() == 1) {
 final Certificate certificate = certificates.get(0);
 if (certificate instanceof X509Certificate) {
 return (X509Certificate) certificate;
 } else {
 throw new ElasticsearchException("Certificate ({}) is not a X.509 certificate"; certificate.getClass());
 } else {
 throw new ElasticsearchException("Expected a single certificate; but found {}"; certificates.size());
 } catch (IOException e) {


How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?