Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
305 views
in Technique[技术] by (71.8m points)

java - Error while Importing public certificate to a keystore

I have a public certificate from a CA. I want to create a Java SSL connection using this certificate. I referred How can I use different certificates on specific connections? and Java SSL connection with self-signed certificate without copying complete keystore to client. From this I understand that I need to import the certificate into a keystore. However I haven't received any keystore from the CA. I created a keystore and tried to import the public certificate to it. But then I get the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Do i need a keystore from the CA or am i doing something wrong?


Command used to create the keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

Command used to import the cert:

keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I think you are not properly following certificate signin process. Checkout this discussion https://forums.oracle.com/thread/1533940 to implement them properly by following below steps:

  1. create a keystore keytool -genkey -keyalg RSA -keystore test.keystore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

  2. create a Certificate Signing Request (CSR). keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore (this generates a text CSR file)

  3. Had signed cert generated: http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html

  4. Imported signed certificate (watch out for CRLFs if pasting signed cert from step 3) keytool -import -alias newkey -file <signed cert file> -keystore test.keystore (?important that this has an alias different to step 1 (which defaults to "mykey")?

  5. Export public key for client usage keytool -export -alias mykey -file test.publickey -keystore test.keystore

On Server system

  1. create a truststore keytool -genkey -keyalg RSA -keystore test.truststore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

  2. Import public key - for testing SSL SOAP service via client keytool -import -file test.publickey -keystore test.truststore

The problem was letting the alias in steps 1 and 6 default to "mykey". When I changed step 6 to be: keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360

you can import using step 7 above (though I did add "-alias apublickey" in step 7). This worked for me.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...