Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Error while Importing public certificate to a keystore

I have a public certificate from a CA. I want to create a Java SSL connection using this certificate. I referred How can I use different certificates on specific connections? and Java SSL connection with self-signed certificate without copying complete keystore to client. From this I understand that I need to import the certificate into a keystore. However I haven't received any keystore from the CA. I created a keystore and tried to import the public certificate to it. But then I get the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Do i need a keystore from the CA or am i doing something wrong?


Command used to create the keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

Command used to import the cert:

keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks
like image 204
DanMatlin Avatar asked Jun 13 '13 09:06

DanMatlin


People also ask

What is the command to import keystore certificate?

Run the Java keytool command to import the certificate into the keystore. where location is the file directory where Cognos TM1 is installed. CAUTION: On 64-bit computers, be sure to add the certificates to the bin64 folder.


2 Answers

I think you are not properly following certificate signin process. Checkout this discussion https://forums.oracle.com/thread/1533940 to implement them properly by following below steps:

  1. create a keystore keytool -genkey -keyalg RSA -keystore test.keystore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

  2. create a Certificate Signing Request (CSR). keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore (this generates a text CSR file)

  3. Had signed cert generated: http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html

  4. Imported signed certificate (watch out for CRLFs if pasting signed cert from step 3) keytool -import -alias newkey -file <signed cert file> -keystore test.keystore (?important that this has an alias different to step 1 (which defaults to "mykey")?

  5. Export public key for client usage keytool -export -alias mykey -file test.publickey -keystore test.keystore

On Server system

  1. create a truststore keytool -genkey -keyalg RSA -keystore test.truststore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

  2. Import public key - for testing SSL SOAP service via client keytool -import -file test.publickey -keystore test.truststore

The problem was letting the alias in steps 1 and 6 default to "mykey". When I changed step 6 to be: keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360

you can import using step 7 above (though I did add "-alias apublickey" in step 7). This worked for me.

like image 96
PeggyP Avatar answered Oct 19 '22 02:10

PeggyP


Please change the alias from tomcat to any other as you are using the same alias for Keystore -genkey

like image 29
Rishi Raj Tandon Avatar answered Oct 19 '22 04:10

Rishi Raj Tandon