1

I have this problem when I import a certification file into keystore:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I do this this operation:

1) create my keystore on the server :

keytool -genkey -keystore C:\keystore\keystore -alias jboss -keyalg RSA

2) I have domain.pfx and convert it whit this command:

  • openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer

  • openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.key

  • openssl rsa -in domain_encrypted.key -out domain.key

Now I have 3 new files:

  • domain.cer
  • domain_encrypted.key
  • domain.key

3) In the end, Import the domain.cer into C:\keystore\keystore in the jboss alias:

keytool -import -alias jboss -keystore C:\keystore\keystore -file C:\cert\domain.cer

But I have this error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

What is the problem?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
fabrix_00
  • 153
  • 4
  • 5
  • 11
  • Why did you do all those steps? All you need is the -genkey step, a -certreq step, a CSR signings step at a CA, and then an import step, you don't need to use openssl at all. – user207421 Oct 27 '14 at 11:03

3 Answers3

1

A keystore comprises of two entries types:

  1. Private Key Entry (which binds the private key stored in the keystore with the certificate imported in the keystore.) Here, the alias must remain the same which was used when the keystore file was created.

  2. Trusted Entry :- This entry comprises of all the trusted certificate entries including the root and intermediate certificates.

If a keystore is binded to a domain in the server.xml file of tomcat, then it must contain the private key entry.

Now, as per your performed steps, you created a keystore first (a private key got generated in it) and then you tried to import the certificate in keystore. But in the command you didn't use the private key which you converted using openssl; you used the private key which freshly got generated when you generated the keystore.

As you have the domain.pfx with you, yo can straight away convert it using the below keytool command:

keytool -importkeystore -srckeystore domain.pfx -srcstoretype pkcs12 -destkeystore name_of_the_keystore_file.jks -deststoretype jks

Note: Make sure the keystore password and the key password remains the same.

Nick Desai
  • 404
  • 2
  • 3
0

Change the alias name as another entry with jboss alias should have already been created. You can view the truststore and alias name in that by executing -> keytool -list -v -keystore . I am sure it will be resolved.

rajdeepbs29
  • 1,211
  • 12
  • 9
-1

I had the same issue today. I resolved it by having a using a different alias when I imported the certificate. So I had alias1 when generating the keystone and alias2 when importing the certificate.

Chris Johnson
  • 11
  • 2
    That's exactly the wrong thing to do. Using a new alias causes the certificate to be imported as a trusted certificate, instead of being associated with the private key. – user207421 Oct 27 '14 at 11:01