I have a public certificate from a CA. I want to create a Java SSL connection using this certificate. I referred How can I use different certificates on specific connections? and Java SSL connection with self-signed certificate without copying complete keystore to client. From this I understand that I need to import the certificate into a keystore. However I haven't received any keystore from the CA. I created a keystore and tried to import the public certificate to it. But then I get the following error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Do i need a keystore from the CA or am i doing something wrong?
Command used to create the keystore:
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
Command used to import the cert:
keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks
I think you are not properly following certificate signin process. Checkout this discussion https://forums.oracle.com/thread/1533940 to implement them properly by following below steps:
create a keystore
keytool -genkey -keyalg RSA -keystore test.keystore -validity 360
(this generates a keystore and a key (DC) with alias of "mykey")
create a Certificate Signing Request (CSR).
keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore
(this generates a text CSR file)
Had signed cert generated: http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html
Imported signed certificate
(watch out for CRLFs if pasting signed cert from step 3)
keytool -import -alias newkey -file <signed cert file> -keystore test.keystore
(?important that this has an alias different to step 1 (which defaults to "mykey")?
Export public key for client usage
keytool -export -alias mykey -file test.publickey -keystore test.keystore
On Server system
create a truststore
keytool -genkey -keyalg RSA -keystore test.truststore -validity 360
(this generates a keystore and a key (DC) with alias of "mykey")
Import public key - for testing SSL SOAP service via client
keytool -import -file test.publickey -keystore test.truststore
The problem was letting the alias in steps 1 and 6 default to "mykey".
When I changed step 6 to be:
keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360
you can import using step 7 above (though I did add "-alias apublickey
" in step 7).
This worked for me.
You can use keyStore explorer gui tool to generate keystore/certificate and for importing/exporting certificate into keystore.
I faced the same problem while importing the SSL certificate in the keystore. In my case the certificate of the Root CA was missing from the chain. I exported the root certificate in a file and manually imported in the keystore.
Please change the alias from tomcat to any other as you are using the same alias for Keystore -genkey