Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Getting "No certificate matches private key"

Tags:

certificate

ssl

openssl

ssl-certificate

keytool

This is the sequence of commands I tried:

a. Extract an existing certificate key from the store:

keytool -v -importkeystore -srckeystore keystore -srcalias one -destkeystore temppp -deststoretype PKCS12 -srcstorepass passwordd -deststorepass passwordd

b. Extract the private key from the exported certificate:

openssl pkcs12 -in temppp -out csr_private.key -nocerts -nodes -password pass:passwordd

c. Generate csr using extracted key:

openssl req -nodes -sha256 -new -key csr_private.key -out request.csr -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla/OU=Bla/CN=BLAAAA'

d. Generate a self-signed certificate and key:

openssl req -x509 -newkey rsa:2048 -keyout ca_key.pem -nodes -sha512 -days 4096 -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla Bla/OU=BLA/CN=FOOO' -out ca.pem

e. Sign the csr with the self-signed certificate:

openssl x509 -in request.csr -out signed_cert.pem -req -signkey ca_key.pem -days 1001

f. Export the signed certificate and csr key to one p12 file:

openssl pkcs12 -export -in signed_cert.pem -inkey csr_private.key -out file.p12 -name "one"

Result:

No certificate matches private key

  1. What am I missing? Why isn't my last command legitimate?
  2. I planned to do "keytool -importkeystore" file.p12 (that should have been generated in the last step) to replace the "one" privateKeyEntry in "keystore". As suggested in How to import an existing x509 certificate and private key in Java keystore to use in SSL?. Basically I'm trying to edit that entry to have the same key, but a different certificate.
like image 836
yair Avatar asked Jun 28 '14 22:06

yair

People also ask

How do you check if the certificate matches a private key?

To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key. If it doesn't say 'RSA key ok', it isn't OK!"

Can I use certificate without private key?

If you lose your private key, you will be unable to install your SSL certificate and will need to generate a new key pair (CSR + Private Key) and re-issue the certificate.

1 Answers

The fix is to add "-nodes" to the last command (f).
In the second command that key was exported with "-nodes" (no DES encryption), and it should be the same in the last command too.

like image 188
yair Avatar answered Nov 12 '22 20:11

yair
Sign in to Comment

Related questions

Install SSL on EC2 Tomcat server
What is the proper way to securely disconnect an asio SSL socket?
Poco + OpenSSL + CA PEM : "Unacceptable certificate" error for 1 out of 2 identical sites
Tomcat 6 and TLSv1.2 In Java
Heroku redirect Next.js React client app http to https
Define cipher suite for TLS in JCA
Force Chrome to accept any SSL certificate regardless of who it was signed by? [closed]
How to set custom DH group in Java SSLEngine to prevent Logjam attack?
Making HTTPS request in iOS 9 with self-signed certificate [closed]
Docker container not connecting to https endpoints
Is current request being made over SSL with Azure deployment
SSL not working for Tomcat 8
cert in /etc/ssl/cert.pem expired today (MacOS Mojave)
Azure DevOps Powershell script Could not create SSL/TLS secure channel
Is Java SSL broken in OpenJDK on Ubuntu?
TLS connection using SSLSocket is slow in Android OS
make rails url helpers use the appropriate protocol?
Expired SSL Certificate and Encryption
how to install certificate in browser settings using command prompt?
How to create SSL certificate with Unicode characters in the Organization name (or other fields)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!