What is mastercert
supposed to be?
According to the docs for generateCertificate()
, it expects that a "certificate provided in inStream must be DER-encoded and may be supplied in binary or printable (Base64) encoding". In other words, a DER or PEM encoded X509 certificate.
What you're providing it via that InputStream is a PFX file (a PKCS#12 file), not a DER or PEM encoded certificate.
My advice is to use openssl pkcs12
to extract the necessary certificate from the PKCS#12 file, and place it into a separate file, then change the code to load that instead of your PFX file.