Error while Importing public certificate to a keys

2019-04-06 14:35发布

问题:

I have a public certificate from a CA. I want to create a Java SSL connection using this certificate. I referred How can I use different certificates on specific connections? and Java SSL connection with self-signed certificate without copying complete keystore to client. From this I understand that I need to import the certificate into a keystore. However I haven't received any keystore from the CA. I created a keystore and tried to import the public certificate to it. But then I get the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Do i need a keystore from the CA or am i doing something wrong?


Command used to create the keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

Command used to import the cert:

keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks

回答1:

I think you are not properly following certificate signin process. Checkout this discussion https://forums.oracle.com/thread/1533940 to implement them properly by following below steps:

  1. create a keystore keytool -genkey -keyalg RSA -keystore test.keystore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

  2. create a Certificate Signing Request (CSR). keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore (this generates a text CSR file)

  3. Had signed cert generated: http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html

  4. Imported signed certificate (watch out for CRLFs if pasting signed cert from step 3) keytool -import -alias newkey -file <signed cert file> -keystore test.keystore (?important that this has an alias different to step 1 (which defaults to "mykey")?

  5. Export public key for client usage keytool -export -alias mykey -file test.publickey -keystore test.keystore

On Server system

  1. create a truststore keytool -genkey -keyalg RSA -keystore test.truststore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

  2. Import public key - for testing SSL SOAP service via client keytool -import -file test.publickey -keystore test.truststore

The problem was letting the alias in steps 1 and 6 default to "mykey". When I changed step 6 to be: keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360

you can import using step 7 above (though I did add "-alias apublickey" in step 7). This worked for me.



回答2:

You can use keyStore explorer gui tool to generate keystore/certificate and for importing/exporting certificate into keystore.



回答3:

I faced the same problem while importing the SSL certificate in the keystore. In my case the certificate of the Root CA was missing from the chain. I exported the root certificate in a file and manually imported in the keystore.



回答4:

Please change the alias from tomcat to any other as you are using the same alias for Keystore -genkey