Error while Importing public certificate to a keystore

I have a public certificate from a CA. I want to create a Java SSL connection using this certificate. I referred How can I use different certificates on specific connections? and Java SSL connection with self-signed certificate without copying complete keystore to client. From this I understand that I need to import the certificate into a keystore. However I haven't received any keystore from the CA. I created a keystore and tried to import the public certificate to it. But then I get the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Do i need a keystore from the CA or am i doing something wrong?


Command used to create the keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

Command used to import the cert:

keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks
4

3 Answers

I think you are not properly following certificate signin process. Checkout this discussion to implement them properly by following below steps:

  1. create a keystorekeytool -genkey -keyalg RSA -keystore test.keystore -validity 360(this generates a keystore and a key (DC) with alias of "mykey")

  2. create a Certificate Signing Request (CSR).keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore(this generates a text CSR file)

  3. Had signed cert generated:

  4. Imported signed certificate (watch out for CRLFs if pasting signed cert from step 3)keytool -import -alias newkey -file <signed cert file> -keystore test.keystore(?important that this has an alias different to step 1 (which defaults to "mykey")?

  5. Export public key for client usagekeytool -export -alias mykey -file test.publickey -keystore test.keystore

On Server system

  1. create a truststorekeytool -genkey -keyalg RSA -keystore test.truststore -validity 360(this generates a keystore and a key (DC) with alias of "mykey")

  2. Import public key - for testing SSL SOAP service via clientkeytool -import -file test.publickey -keystore test.truststore

The problem was letting the alias in steps 1 and 6 default to "mykey". When I changed step 6 to be:keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360

you can import using step 7 above (though I did add "-alias apublickey" in step 7). This worked for me.

1

You can use keyStore explorer gui tool to generate keystore/certificate and for importing/exporting certificate into keystore.

Please change the alias from tomcat to any other as you are using the same alias for Keystore -genkey

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.

You Might Also Like