java - Error while Importing public certificate to a keystore

Question

I have a public certificate from a CA. I want to create a Java SSL connection using this certificate. I referred How can I use different certificates on specific connections? and Java SSL connection with self-signed certificate without copying complete keystore to client. From this I understand that I need to import the certificate into a keystore. However I haven't received any keystore from the CA. I created a keystore and tried to import the public certificate to it. But then I get the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Do i need a keystore from the CA or am i doing something wrong?

---

Command used to create the keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

Command used to import the cert:

keytool -import -v -alias tomcat -file signed-cert.pem -keystore keystore.jks

Answer 1

I think you are not properly following certificate signin process. Checkout this discussion https://forums.oracle.com/thread/1533940 to implement them properly by following below steps:

1. create a keystore keytool -genkey -keyalg RSA -keystore test.keystore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

2. create a Certificate Signing Request (CSR). keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore (this generates a text CSR file)

3. Had signed cert generated: http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html

4. Imported signed certificate (watch out for CRLFs if pasting signed cert from step 3) keytool -import -alias newkey -file <signed cert file> -keystore test.keystore (?important that this has an alias different to step 1 (which defaults to "mykey")?

5. Export public key for client usage keytool -export -alias mykey -file test.publickey -keystore test.keystore

On Server system

6. create a truststore keytool -genkey -keyalg RSA -keystore test.truststore -validity 360 (this generates a keystore and a key (DC) with alias of "mykey")

7. Import public key - for testing SSL SOAP service via client keytool -import -file test.publickey -keystore test.truststore

The problem was letting the alias in steps 1 and 6 default to "mykey". When I changed step 6 to be: keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360

you can import using step 7 above (though I did add "-alias apublickey" in step 7). This worked for me.