java.lang.Exception: Public keys in reply and keystore don't match

Question

I have to access a webservice hosted at port 443.Service provider has shared three certificate with us.

1. ABCD.cer
2. CA_Certificate.cer
3. CCA_Certificate.cer

I have to add them to keystore by creating a form chain for the SSL communication.I have followed below steps.

1. keytool -keystore npci_keystore_test.jks -genkey -alias npci_client_testore

      Result :- keystore npci_keystore_test.jks created.
   

2. keytool -import -keystore npci_keystore_test.jks -file CA_Certificate.cer -alias theCARoot

      Result :- certificate CA_Certificate.cer is added to keystore.
   

3. keytool -import -keystore npci_keystore_test.jks -file CCA_Certificate.cer -alias theCCARoot

      Result :- certificate CCA_Certificate.cer is added to keystore.
   

4. keytool -import -keystore npci_keystore_test.jks -file ABCD.cer -alias npci_client_testore

   At the step 4 i have below exception

   Enter keystore password: (and when i enter password i have below exception)

   keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I have already done search in SO,but so far no luck.

I am following below source to create the store and import certificate in it. JKS Keystore

EDIT:---

I have tested it by changing the import order of certificate,but no luck so far.

Answer 1

I had the same exception error (keystore don't match) hosting with Tomcat8. If you have entered a wrong domain name or no domain name while creating your keystore, you will need to re-create your Keystore file again and resubmit your CSR again to your Certification Authority (CA) licensed/recognised/approved to issue Digital Signature Certificates (Godaddy in my case).

Here are the commands to create a keystore file:

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcat.keystore -deststoretype pkcs12

(You need to enter the domain name when the prompt asks for a first and last name, it is requesting the Fully Qualified Domain Name (FDQN) e.g. www.example.com). From the City, State and Province - do not abbreviate

Enter the following command to create the CSR (from the same directory as your tomcat.keystore location):

keytool -certreq -keyalg RSA -alias tomcat -file myFQDN.csr -keystore tomcat.keystore

Note: Because of the previous "keystore don't match" error, I had to delete all my Godaddy certificates from my windows console (MMC).

Once your Certificate files are ready from your Certification Authority. Download the files and double click on each of the 2 .crt files to reinstall them again in windows (Choose automatically install in Local Machine). Make sure you backup your tomcat.keystore file then import these certificate files IN ORDER into your tomcat.keystore file (from scratch) with the same order as the following example:

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file namewithnumbersandletters.crt

Make sure you have updated your server.xml then restart your Tomcat

<Connector port="80" protocol="HTTP/1.1"
    relaxedQueryChars="|{}[]%-"
    connectionTimeout="20000"
    redirectPort="443" />  
<Connector  SSLEnabled="true" URIEncoding="UTF-8" 
    clientAuth="false" 
    keystoreFile="C:\Program Files\Java\jdk-11.0.9\bin\tomcat.keystore" 
    keystorePass="ChangeToYourPassword" 
    maxThreads="200" 
    port="443" 
    scheme="https" 
    secure="true" 
    sslProtocol="TLS"
    sslEnabledProtocols="TLSv1.2"
    /> 

Voilà! The Locked icon (Secure Connection) appears when browsing on the domain.

Answer 2

This happens when you are trying to import a certificate to an existing jks file which already has the same alias present in it. if you want to use the same alias then first delete the old alias and its associated certificate in the jks and then import the new one.

1 - keytool -delete -alias <alias_name> -keystore <your jks file name>
2 - keytool -import -alias <alias_name> -keystore <your jks file name> -file <your source cer or crt file>

Answer 3

Similar to @Omikron's answer, I resolved it by adding the TrustedRoot.crt and DigiCertCA.crt files into the jre/lib/security/cacerts keystore.

sudo keytool -import -alias ALIAS -file TrustedRoot.crt -storetype JKS -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file DigiCertCA.crt

I was then able to import the certificate into my own keystore.

keytool -import -trustcacerts -alias other_alias -file certificate.crt -keystore keystore.jks -keypass "password" -storepass "password1"

Answer 4

This worked for me:

keytool -keystore yourkeystorename -importcert -alias certificatealiasname -file certificatename.cer

Answer 5

In the 4 point (where you are getting error : keytool error: java.lang.Exception: Public keys in reply and keystore don't match) where you are importing the certificate, please change the alias. The alias should not be npci_client_testore as it is already used for alias of keystore.

Answer 6

The issue here is the alias you used while importing the certificate which is similar to the one you used while creating the JKS store. Just change the alias and it will solve your issue. The source document [1] needs to be corrected accordingly.

[1] http://docs.oracle.com/cd/E19509-01/820-3503/ggfgo/index.html

Answer 7

The link in your question explains how to create an SSL keystore for a server, which is not what you want to do. What you did was:

1. Create a new key pair
2. Add a trusted certificate to the keystore
3. Add another trusted certificate to the keystore
4. Try to import the SSL certificate of the server as a certificate for your key pair

Step 4 fails because the SSL certificate was generated for a completely different key pair.

The three certificates are probably:

1. The SSL certificate of the webservice
2. The CA certificate that signed the SSL certificate
3. The root certificate that signed the CA

What you have to do now is to add a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts), with the result that your client accepts the SSL certificate of the webservice.

Usually the SSL server sends the whole chain except for the root certificate to the client during SSL handshake. This means that you have to add the root certificate to your truststore:

keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot

Additional steps are necessary if the webservice requires SSL client authentication, but you have never mentioned client authentication, so I assume that it is not necessary.