This discussion is archived
13 Replies Latest reply: May 21, 2009 5:09 PM by EJP RSS

Public keys in reply and keystore don't match

843811 Newbie
Currently Being Moderated
Hi,
I try to sign a certrequest wiht open ssl and import the result in my keystore.
But it doesn't work, I get the error message:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match

here is what I do (obmitting aliases, filenames, and passwords):
- I create a keypair using keytool -genkey -keyalg RSA
- I create a certification request using keytool -certreq
- I get it signed with open ssl: openssl x509 -req -days 365 -in xxx.req -signkey xxx.private -out xxx.key
- I try to import the result into my keystore: keytool -import

and end up with the exception mentioned above.

any help would be apreciated
Spieler
  • 1. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    Did you get this figured out? I am having the same problem.

    RPettyJr@yahoo.com
  • 2. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    Did you get this figured out? I am having the same problem
    My id is sanjoeapen@rediffmail.com
  • 3. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    try converting to DER format :

    openssl x509 -in xxx.key -out xxx.der -outform DER

    then import the xxx.der into your keystore.
  • 4. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    I have a certificate that I exported from Internet Explorer. I created a keystore using the command

    keytool -genkey -dname "CN=xxx, OU=xxxx, O=xxxx, L=xxxx, S=xx, C=xxx" -alias ESMKeyStore -keypass xxxx -keystore edfkeystore -storepass xxx -keyalg "RSA" -validity 360

    I then tried to import the certificate that I had exported from IE using the following command

    keytool -import -trustcacerts -alias ESMKeyStore -file c:\edfx509DERcertificate.cer -keystore edfkeystore

    When I did this I got the error

    keytool error: java.lang.Exception: Public keys in reply and keystore don't match

    I am using jdk 1.5. The certificate was provided to me by my employer so the certificate authority is my employer. What is this telling me? I entered the CN, O, and OU to what I saw when I looked at the details of the certificate (from within IE).
  • 5. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    I got same problem
    Tim
  • 6. Re: Public keys in reply and keystore don't match
    EJP Guru
    Currently Being Moderated
    I don't understand any of this. The keytool can generate self-signed certificates itself. Why would you go via openssl? And I don't understand where '-signkey xxx.private' came from, as keytool doesn't provide any means of exporting a private key AFAIK.

    And for the people exporting certs from IE, how about telling us where those certs came from? and the basis for your expectation that they should match anything in the keystore?
  • 7. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    I got that same error ("Public keys in reply and keystore don't match") when I did this:
    1. create a keystore
    keytool -genkey -keyalg RSA -keystore test.keystore -validity 360
    (this generates a keystore and a key (DC) with alias of "mykey")

    2. create a Certificate Signing Request (CSR).
    keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore
    (this generates a text CSR file)

    3. Had signed cert generated:
    http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html

    4. Imported signed certificate
    (watch out for CRLFs if pasting signed cert from step 3)
    keytool -import -alias newkey -file <signed cert file> -keystore test.keystore
    (?important that this has an alias different to step 1 (which defaults to "mykey")?

    5. Export public key for client usage
    keytool -export -alias mykey -file test.publickey -keystore test.keystore

    On Server system

    6. create a truststore
    keytool -genkey -keyalg RSA -keystore test.truststore -validity 360
    (this generates a keystore and a key (DC) with alias of "mykey")

    7. Import public key - for testing SSL SOAP service via client
    keytool -import -file test.publickey -keystore test.truststore

    The problem was letting the alias in steps 1 and 6 default to "mykey".
    When I changed step 6 to be:
    keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360

    I could import using step 7 above (though I did add "-alias apublickey" in step 7).
    This worked for me.
  • 8. Re: Public keys in reply and keystore don't match
    EJP Guru
    Currently Being Moderated
    (?important that this has an alias different to step 1 (which defaults to "mykey")?
    No, it's important that the alias is the same. But you shouldn't use the default alias in either case.
    6. create a truststore
    keytool -genkey -keyalg RSA -keystore test.truststore -validity 360
    (this generates a keystore and a key (DC) with alias of "mykey")
    If you generate a key pair, it is not a truststore, it is a keystore. If it's supposed to be a truststore, don't generate any keypairs in it. This keypair doesn't seem to get used later on, so perhaps that's it - i.e. you can omit step 6 altogether. Which would also explain your later problem, and why changing the alias in step 6 made it work.
  • 9. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    I�ve got now the same problem. Please, taka a look in this link:

    [http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm]

    This procedure works, but when I do the steps in my way, this error appears.

    So, I think the problem is related to archieve openssl.cnf.

    I�ve used my own, take a look:
    #
    # OpenSSL example configuration file.
    # This is mostly being used for generation of certificate requests.
    #
    
    # This definition stops the following lines choking if HOME isn't
    # defined.
    HOME               = .
    RANDFILE          = $ENV::HOME/.rnd
    
    # Extra OBJECT IDENTIFIER info:
    #oid_file          = $ENV::HOME/.oid
    oid_section          = new_oids
    
    # To use this configuration file with the "-extfile" option of the
    # "openssl x509" utility, name here the section containing the
    # X.509v3 extensions to use:
    # extensions          = 
    # (Alternatively, use a configuration file that has only
    # X.509v3 extensions in its main [= default] section.)
    
    [ new_oids ]
    
    # We can add new OIDs in here for use by 'ca' and 'req'.
    # Add a simple OID like this:
    # testoid1=1.2.3.4
    # Or use config file substitution like this:
    # testoid2=${testoid1}.5.6
    
    ####################################################################
    [ ca ]
    default_ca     = CA_default          # The default ca section
    
    ####################################################################
    [ CA_default ]
    
    dir          = ./test              # Where everything is kept
    certs          = $dir/certs          # Where the issued certs are kept
    crl_dir          = $dir/crl          # Where the issued crl are kept
    database     = ./index.txt             # database index file.
    #unique_subject     = no               # Set to 'no' to allow creation of
                             # several ctificates with same subject.
    new_certs_dir     = $dir          # default place for new certs.
    
    certificate     = ./cacert.pem       # The CA certificate
    serial          = ./serial.txt             # The current serial number
    crlnumber     = $dir/crlnumber     # the current crl number
                             # must be commented out to leave a V1 CRL
    crl          = $dir/crl.pem           # The current CRL
    private_key     = $dir/private/cakey.pem# The private key
    RANDFILE     = $dir/private/.rand     # private random number file
    
    x509_extensions     = usr_cert          # The extentions to add to the cert
    
    # Comment out the following two lines for the "traditional"
    # (and highly broken) format.
    name_opt      = ca_default          # Subject Name options
    cert_opt      = ca_default          # Certificate field options
    
    # Extension copying option: use with caution.
    # copy_extensions = copy
    
    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crlnumber must also be commented out to leave a V1 CRL.
    # crl_extensions     = crl_ext
    
    default_days     = 365               # how long to certify for
    default_crl_days= 30               # how long before next CRL
    default_md     = sha1               # which md to use.
    preserve     = no               # keep passed DN ordering
    
    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy          = policy_match
    
    # For the CA policy
    [ policy_match ]
    countryName          = match
    stateOrProvinceName     = match
    organizationName     = match
    organizationalUnitName     = optional
    commonName          = supplied
    emailAddress          = optional
    
    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName          = optional
    stateOrProvinceName     = optional
    localityName          = optional
    organizationName     = optional
    organizationalUnitName     = optional
    commonName          = supplied
    emailAddress          = optional
    
    ####################################################################
    [ req ]
    default_bits          = 2048
    default_keyfile      = privkey.pem
    distinguished_name     = req_distinguished_name
    attributes          = req_attributes
    x509_extensions     = v3_ca     # The extentions to add to the self signed cert
    
    # Passwords for private keys if not present they will be prompted for
    # input_password = secret
    # output_password = secret
    
    # This sets a mask for permitted string types. There are several options. 
    # default: PrintableString, T61String, BMPString.
    # pkix      : PrintableString, BMPString.
    # utf8only: only UTF8Strings.
    # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    # MASK:XXXX a literal mask value.
    # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
    # so use this option with caution!
    string_mask = nombstr
    
    # req_extensions = v3_req # The extensions to add to a certificate request
    
    [ req_distinguished_name ]
    countryName               = Country Name (2 letter code)
    countryName_default          = XXX
    countryName_min               = 2
    countryName_max               = 2
    
    stateOrProvinceName          = State or Province Name (full name)
    stateOrProvinceName_default     = SP
    
    localityName               = City
    localityName_default            = XXX
    
    0.organizationName          = Organization Name (eg, company)
    0.organizationName_default     = XXX
    
    # we can do this but it is not needed normally :-)
    #1.organizationName          = Second Organization Name (eg, company)
    #1.organizationName_default     = World Wide Web Pty Ltd
    
    organizationalUnitName          = Organizational Unit Name
    organizationalUnitName_default     = XXX
    
    commonName               = Name
    commonName_default              = XXX
    commonName_max               = 64
    
    emailAddress               = Email Address
    emailAddress_max          = 64
    
    # SET-ex3               = SET extension number 3
    
    [ req_attributes ]
    challengePassword          = A challenge password
    challengePassword_min          = 4
    challengePassword_max          = 20
    
    unstructuredName          = An optional company name
    
    [ usr_cert ]
    
    # These extensions are added when 'ca' signs a request.
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    
    basicConstraints=CA:FALSE
    
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    
    # This is OK for an SSL server.
    # nsCertType               = server
    
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    
    # For normal client use this is typical
    # nsCertType = client, email
    
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    
    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    # This will be displayed in Netscape's comment listbox.
    nsComment               = "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    [ v3_req ]
    
    # Extensions to add to a certificate request
    
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    [ v3_ca ]
    
    
    # Extensions for a typical CA
    
    
    # PKIX recommendation.
    
    subjectKeyIdentifier=hash
    
    authorityKeyIdentifier=keyid:always,issuer:always
    
    # This is what PKIX recommends but some broken software chokes on critical
    # extensions.
    #basicConstraints = critical,CA:true
    # So we do this instead.
    basicConstraints = CA:true
    
    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign
    
    # Some might want this also
    # nsCertType = sslCA, emailCA
    
    # Include email address in subject alt name: another PKIX recommendation
    # subjectAltName=email:copy
    # Copy issuer details
    # issuerAltName=issuer:copy
    
    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF
    
    [ crl_ext ]
    
    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    
    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always,issuer:always
    
    [ proxy_cert_ext ]
    # These extensions should be added when creating a proxy certificate
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    
    basicConstraints=CA:FALSE
    
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    
    # This is OK for an SSL server.
    # nsCertType               = server
    
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    
    # For normal client use this is typical
    # nsCertType = client, email
    
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    
    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    # This will be displayed in Netscape's comment listbox.
    nsComment               = "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer:always
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    # This really needs to be in place for it to be a proxy certificate.
    proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
    Just a detail, in your folder, mut to have this folder "test", just because this line:

    dir          = ./test           # Where everything is kept

    I hope this helps...

    :)
  • 10. Re: Public keys in reply and keystore don't match
    EJP Guru
    Currently Being Moderated
    This procedure works, but when I do the steps in my way, this error appears.
    So don't do it 'in my way'. Do it the way that works.
    So, I think the problem is related to archieve openssl.cnf.
    The problem is obviously whatever is different between your procedure and the one above.

    I can't detect the relevance of your file to the topic, or to the forum.
  • 11. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    SOLVED. On Windows...

    %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
    %JAVA_HOME%\bin\keytool -certreq -alias tomcat -keyalg RSA -file certrequest.csr

    <issue cert and export ca cert; all as base64>

    %JAVA_HOME%\bin\keytool -importcert -alias truststore -trustcacerts -file ca.b64.crt
    %JAVA_HOME%\bin\keytool -importcert -alias tomcat -trustcacerts -file certreply.b64.crt

    DONE.
  • 12. Re: Public keys in reply and keystore don't match
    843811 Newbie
    Currently Being Moderated
    The critical thing is the use of -alias on the import. Without this error is generated - which is NOT at all obvious.
  • 13. Re: Public keys in reply and keystore don't match
    EJP Guru
    Currently Being Moderated
    And which I stated above, 18 months ago.