A PEM X.509 cert has a header "-----BEGIN CERTIFICATE-----" and a footer "-----END CERTIFICATE-----". If there is whitespace after the header or footer, CertificateFactory cannot load it and throws this exception:

Caused by: java.security.cert.CertificateException: java.io.IOException: Illegal footer: -----END CERTIFICATE-----
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:358)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
at java.base/sun.security.tools.keytool.Main.printCertFromStream(Main.java:2599)
... 4 more
Caused by: java.io.IOException: Illegal footer: -----END CERTIFICATE-----
at java.base/sun.security.provider.X509Factory.checkHeaderFooter(X509Factory.java:656)
at java.base/sun.security.provider.X509Factory.readOneBlock(X509Factory.java:638)
at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:449)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356)

According to https://tools.ietf.org/html/rfc7468#section-3, WSP is allowed after preeb or posteb:

  textualmsg = preeb *WSP eol
               *eolWSP
               base64text
               posteb *WSP [eol]

  preeb = "-----BEGIN " label "-----" ; unlike [RFC1421] (A)BNF,
                                           ; eol is not required (but
  posteb = "-----END " label "-----" ; see [RFC1421], Section 4.4)