12

I have a public certificate from a CA. I want to create a Java SSL connection using this certificate. I referred How can I use different certificates on specific connections? and Java SSL connection with self-signed certificate without copying complete keystore to client. From this I understand that I need to import the certificate into a keystore. However I haven't received any keystore from the CA. I created a keystore and tried to import the public certificate to it. But then I get the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Do i need a keystore from the CA or am i doing something wrong?

Command used to create the keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

Command used to import the cert:

keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks
Community
  • 1
  • 1
DanMatlin
  • 1,212
  • 7
  • 19
  • 37
  • Can you please be a little bit more specific? Which command do you use to create the keystore and how do you import the cert? – Uwe Plonus Jun 13 '13 at 09:21
  • Command to create the keystore: keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks Command to import the cert: keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks – DanMatlin Jun 13 '13 at 09:27
  • @Zeutheus did you find a way to make this work? i am facing a similar issue and a solution to the above issue will be of help. – themanwhosoldtheworld Apr 02 '14 at 08:43
  • I was doing it the wrong way. First you create a keystore. Then you extract the public key from this keystore. Send over this public key to your CA. when they send back the signed certificate, you can import it successfully to your keystore – DanMatlin Apr 06 '14 at 09:42

3 Answers3

8

I think you are not properly following certificate signin process. Checkout this discussion https://forums.oracle.com/thread/1533940 to implement them properly by following below steps:

  1. create a keystore keytool -genkey -keyalg RSA -keystore test.keystore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

  2. create a Certificate Signing Request (CSR). keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore (this generates a text CSR file)

  3. Had signed cert generated: http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html

  4. Imported signed certificate (watch out for CRLFs if pasting signed cert from step 3) keytool -import -alias newkey -file <signed cert file> -keystore test.keystore (?important that this has an alias different to step 1 (which defaults to "mykey")?

  5. Export public key for client usage keytool -export -alias mykey -file test.publickey -keystore test.keystore

On Server system

  1. create a truststore keytool -genkey -keyalg RSA -keystore test.truststore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

  2. Import public key - for testing SSL SOAP service via client keytool -import -file test.publickey -keystore test.truststore

The problem was letting the alias in steps 1 and 6 default to "mykey". When I changed step 6 to be: keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360

you can import using step 7 above (though I did add "-alias apublickey" in step 7). This worked for me.

Koen
  • 3,626
  • 1
  • 34
  • 55
PeggyP
  • 261
  • 1
  • 4
4

You can use keyStore explorer gui tool to generate keystore/certificate and for importing/exporting certificate into keystore.

ManojP
  • 6,113
  • 2
  • 37
  • 49
2

Please change the alias from tomcat to any other as you are using the same alias for Keystore -genkey

Rishi Raj Tandon
  • 642
  • 8
  • 15