问题
I have this problem when I import a certification file into keystore:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
I do this this operation:
1) create my keystore on the server :
keytool -genkey -keystore C:\keystore\keystore -alias jboss -keyalg RSA
2) I have domain.pfx and convert it whit this command:
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.key
openssl rsa -in domain_encrypted.key -out domain.key
Now I have 3 new files:
- domain.cer
- domain_encrypted.key
- domain.key
3) In the end, Import the domain.cer into C:\keystore\keystore in the jboss alias:
keytool -import -alias jboss -keystore C:\keystore\keystore -file C:\cert\domain.cer
But I have this error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
What is the problem?
回答1:
A keystore comprises of two entries types:
Private Key Entry (which binds the private key stored in the keystore with the certificate imported in the keystore.) Here, the alias must remain the same which was used when the keystore file was created.
Trusted Entry :- This entry comprises of all the trusted certificate entries including the root and intermediate certificates.
If a keystore is binded to a domain in the server.xml file of tomcat, then it must contain the private key entry.
Now, as per your performed steps, you created a keystore first (a private key got generated in it) and then you tried to import the certificate in keystore. But in the command you didn't use the private key which you converted using openssl; you used the private key which freshly got generated when you generated the keystore.
As you have the domain.pfx with you, yo can straight away convert it using the below keytool command:
keytool -importkeystore -srckeystore domain.pfx -srcstoretype pkcs12 -destkeystore name_of_the_keystore_file.jks -deststoretype jks
Note: Make sure the keystore password and the key password remains the same.
回答2:
Change the alias name as another entry with jboss alias should have already been created. You can view the truststore and alias name in that by executing -> keytool -list -v -keystore . I am sure it will be resolved.
回答3:
I had the same issue today. I resolved it by having a using a different alias when I imported the certificate. So I had alias1 when generating the keystone and alias2 when importing the certificate.
来源:https://stackoverflow.com/questions/26256856/keytool-error-java-lang-exception-public-keys-in-reply-and-keystore-dont-matc