0

Before I start, I have looked at 2 other questions:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

And

java.lang.Exception: Public keys in reply and keystore don't match

But I believe that the error comes in the way I am generating the csr that I submit to my provider(Digicert). I will detail my commands below, notice that this is the way our department has always done this and up till this point I can't understand why this is not working (I am also not capacitated at all to do system administration things, but this landed on me)

First - Generating the keystore

keytool -genkey -alias aliasItem -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keypass <password> -dname "CN=server.domain.whatever, OU=IT, O=SOME NAME, L=City ST=State C=COUNTRY" -keystore keycerts -storepass <password>

I changed the important items as you might well assume for security concerns. Afterwards:

keytool -keycerts -keyalg RSA -sigalg SHA256withRSA -v -alias aliasItem -file outputfile.csr -keystore keycerts

After I get the csr, I submit it to my provider, there is no copy/paste error in this case since I import the file directly. They provide two .crt files, one from the service provider, and one for the server i am requesting it for. After I move these files to my server and attempt to import the service provider's .crt to the keystore I get an error, this is the command I use for importing the .crt to the keystore:

keytool -import -v -alias aliasItem -file <Provider>.crt -keystore keycerts

Which outputs the error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match
java.lang.Exception: Public keys in reply and keystore don't match
        at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2688)
        at sun.security.tools.KeyTool.installReply(KeyTool.java:1940)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:855)
        at sun.security.tools.KeyTool.run(KeyTool.java:194)
        at sun.security.tools.KeyTool.main(KeyTool.java:188)

I have tried changing some parts of the scripts a total of 8 times now, all using the notes and documentation provided by me with no positive results. What strikes me as odd is that this server is identical in all aspects to another one of our test servers, for which I had done this before with no issues. I am still trying to do different things to solve my issue, but due to my limited knowledge in this I believe that there has got to be something I am doing from the beginning that might be wrong.

Any input will be greatly appreciated.

sigillum_conf
  • 423
  • 3
  • 22

1 Answers1

0

The second command for generating the car seems to be incorrect because "-keycerts" is an illegal parameter. IT must be "-certreq" .

Now, the error states that the private key does not match with the certificate which you are trying to install. Kindly check the below

a) Please make sure you are trying to use the same keystore file which you used to generate the csr

b) Please check while importing you are using the correct alias name. The alias should match with the one you mentioned while generating the keystore file.

c) Please make sure you are importing the correct server certificate and not the intermediate or root. Digicert must have provided you all the three files namely, Server certificate (CN of this certificate must match with the one when you generated the csr file and this is the one which needs to be imported), Intermediate and root.

If the above steps don't work then you have to generate the new csr and keystore file and ask Digicert to Reissue the certificates. They will do it for you free of cost.

Ritesh Jha
  • 21
  • 1