13 Replies Latest reply: May 21, 2009 7:09 PM by EJP RSS

    Public keys in reply and keystore don't match

    843811
      Hi,
      I try to sign a certrequest wiht open ssl and import the result in my keystore.
      But it doesn't work, I get the error message:
      keytool error: java.lang.Exception: Public keys in reply and keystore don't match

      here is what I do (obmitting aliases, filenames, and passwords):
      - I create a keypair using keytool -genkey -keyalg RSA
      - I create a certification request using keytool -certreq
      - I get it signed with open ssl: openssl x509 -req -days 365 -in xxx.req -signkey xxx.private -out xxx.key
      - I try to import the result into my keystore: keytool -import

      and end up with the exception mentioned above.

      any help would be apreciated
      Spieler
        • 1. Re: Public keys in reply and keystore don't match
          843811
          Did you get this figured out? I am having the same problem.

          RPettyJr@yahoo.com
          • 2. Re: Public keys in reply and keystore don't match
            843811
            Did you get this figured out? I am having the same problem
            My id is sanjoeapen@rediffmail.com
            • 3. Re: Public keys in reply and keystore don't match
              843811
              try converting to DER format :

              openssl x509 -in xxx.key -out xxx.der -outform DER

              then import the xxx.der into your keystore.
              • 4. Re: Public keys in reply and keystore don't match
                843811
                I have a certificate that I exported from Internet Explorer. I created a keystore using the command

                keytool -genkey -dname "CN=xxx, OU=xxxx, O=xxxx, L=xxxx, S=xx, C=xxx" -alias ESMKeyStore -keypass xxxx -keystore edfkeystore -storepass xxx -keyalg "RSA" -validity 360

                I then tried to import the certificate that I had exported from IE using the following command

                keytool -import -trustcacerts -alias ESMKeyStore -file c:\edfx509DERcertificate.cer -keystore edfkeystore

                When I did this I got the error

                keytool error: java.lang.Exception: Public keys in reply and keystore don't match

                I am using jdk 1.5. The certificate was provided to me by my employer so the certificate authority is my employer. What is this telling me? I entered the CN, O, and OU to what I saw when I looked at the details of the certificate (from within IE).
                • 5. Re: Public keys in reply and keystore don't match
                  843811
                  I got same problem
                  Tim
                  • 6. Re: Public keys in reply and keystore don't match
                    EJP
                    I don't understand any of this. The keytool can generate self-signed certificates itself. Why would you go via openssl? And I don't understand where '-signkey xxx.private' came from, as keytool doesn't provide any means of exporting a private key AFAIK.

                    And for the people exporting certs from IE, how about telling us where those certs came from? and the basis for your expectation that they should match anything in the keystore?
                    • 7. Re: Public keys in reply and keystore don't match
                      843811
                      I got that same error ("Public keys in reply and keystore don't match") when I did this:
                      1. create a keystore
                      keytool -genkey -keyalg RSA -keystore test.keystore -validity 360
                      (this generates a keystore and a key (DC) with alias of "mykey")

                      2. create a Certificate Signing Request (CSR).
                      keytool -certreq -keyalg RSA -file test.csr -keystore test.keystore
                      (this generates a text CSR file)

                      3. Had signed cert generated:
                      http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-index.html

                      4. Imported signed certificate
                      (watch out for CRLFs if pasting signed cert from step 3)
                      keytool -import -alias newkey -file <signed cert file> -keystore test.keystore
                      (?important that this has an alias different to step 1 (which defaults to "mykey")?

                      5. Export public key for client usage
                      keytool -export -alias mykey -file test.publickey -keystore test.keystore

                      On Server system

                      6. create a truststore
                      keytool -genkey -keyalg RSA -keystore test.truststore -validity 360
                      (this generates a keystore and a key (DC) with alias of "mykey")

                      7. Import public key - for testing SSL SOAP service via client
                      keytool -import -file test.publickey -keystore test.truststore

                      The problem was letting the alias in steps 1 and 6 default to "mykey".
                      When I changed step 6 to be:
                      keytool -genkey -alias testAlias -keyalg RSA -keystore test.truststore -validity 360

                      I could import using step 7 above (though I did add "-alias apublickey" in step 7).
                      This worked for me.
                      • 8. Re: Public keys in reply and keystore don't match
                        EJP
                        (?important that this has an alias different to step 1 (which defaults to "mykey")?
                        No, it's important that the alias is the same. But you shouldn't use the default alias in either case.
                        6. create a truststore
                        keytool -genkey -keyalg RSA -keystore test.truststore -validity 360
                        (this generates a keystore and a key (DC) with alias of "mykey")
                        If you generate a key pair, it is not a truststore, it is a keystore. If it's supposed to be a truststore, don't generate any keypairs in it. This keypair doesn't seem to get used later on, so perhaps that's it - i.e. you can omit step 6 altogether. Which would also explain your later problem, and why changing the alias in step 6 made it work.
                        • 9. Re: Public keys in reply and keystore don't match
                          843811
                          I�ve got now the same problem. Please, taka a look in this link:

                          [http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm]

                          This procedure works, but when I do the steps in my way, this error appears.

                          So, I think the problem is related to archieve openssl.cnf.

                          I�ve used my own, take a look:
                          #
                          # OpenSSL example configuration file.
                          # This is mostly being used for generation of certificate requests.
                          #
                          
                          # This definition stops the following lines choking if HOME isn't
                          # defined.
                          HOME               = .
                          RANDFILE          = $ENV::HOME/.rnd
                          
                          # Extra OBJECT IDENTIFIER info:
                          #oid_file          = $ENV::HOME/.oid
                          oid_section          = new_oids
                          
                          # To use this configuration file with the "-extfile" option of the
                          # "openssl x509" utility, name here the section containing the
                          # X.509v3 extensions to use:
                          # extensions          = 
                          # (Alternatively, use a configuration file that has only
                          # X.509v3 extensions in its main [= default] section.)
                          
                          [ new_oids ]
                          
                          # We can add new OIDs in here for use by 'ca' and 'req'.
                          # Add a simple OID like this:
                          # testoid1=1.2.3.4
                          # Or use config file substitution like this:
                          # testoid2=${testoid1}.5.6
                          
                          ####################################################################
                          [ ca ]
                          default_ca     = CA_default          # The default ca section
                          
                          ####################################################################
                          [ CA_default ]
                          
                          dir          = ./test              # Where everything is kept
                          certs          = $dir/certs          # Where the issued certs are kept
                          crl_dir          = $dir/crl          # Where the issued crl are kept
                          database     = ./index.txt             # database index file.
                          #unique_subject     = no               # Set to 'no' to allow creation of
                                                   # several ctificates with same subject.
                          new_certs_dir     = $dir          # default place for new certs.
                          
                          certificate     = ./cacert.pem       # The CA certificate
                          serial          = ./serial.txt             # The current serial number
                          crlnumber     = $dir/crlnumber     # the current crl number
                                                   # must be commented out to leave a V1 CRL
                          crl          = $dir/crl.pem           # The current CRL
                          private_key     = $dir/private/cakey.pem# The private key
                          RANDFILE     = $dir/private/.rand     # private random number file
                          
                          x509_extensions     = usr_cert          # The extentions to add to the cert
                          
                          # Comment out the following two lines for the "traditional"
                          # (and highly broken) format.
                          name_opt      = ca_default          # Subject Name options
                          cert_opt      = ca_default          # Certificate field options
                          
                          # Extension copying option: use with caution.
                          # copy_extensions = copy
                          
                          # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
                          # so this is commented out by default to leave a V1 CRL.
                          # crlnumber must also be commented out to leave a V1 CRL.
                          # crl_extensions     = crl_ext
                          
                          default_days     = 365               # how long to certify for
                          default_crl_days= 30               # how long before next CRL
                          default_md     = sha1               # which md to use.
                          preserve     = no               # keep passed DN ordering
                          
                          # A few difference way of specifying how similar the request should look
                          # For type CA, the listed attributes must be the same, and the optional
                          # and supplied fields are just that :-)
                          policy          = policy_match
                          
                          # For the CA policy
                          [ policy_match ]
                          countryName          = match
                          stateOrProvinceName     = match
                          organizationName     = match
                          organizationalUnitName     = optional
                          commonName          = supplied
                          emailAddress          = optional
                          
                          # For the 'anything' policy
                          # At this point in time, you must list all acceptable 'object'
                          # types.
                          [ policy_anything ]
                          countryName          = optional
                          stateOrProvinceName     = optional
                          localityName          = optional
                          organizationName     = optional
                          organizationalUnitName     = optional
                          commonName          = supplied
                          emailAddress          = optional
                          
                          ####################################################################
                          [ req ]
                          default_bits          = 2048
                          default_keyfile      = privkey.pem
                          distinguished_name     = req_distinguished_name
                          attributes          = req_attributes
                          x509_extensions     = v3_ca     # The extentions to add to the self signed cert
                          
                          # Passwords for private keys if not present they will be prompted for
                          # input_password = secret
                          # output_password = secret
                          
                          # This sets a mask for permitted string types. There are several options. 
                          # default: PrintableString, T61String, BMPString.
                          # pkix      : PrintableString, BMPString.
                          # utf8only: only UTF8Strings.
                          # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
                          # MASK:XXXX a literal mask value.
                          # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
                          # so use this option with caution!
                          string_mask = nombstr
                          
                          # req_extensions = v3_req # The extensions to add to a certificate request
                          
                          [ req_distinguished_name ]
                          countryName               = Country Name (2 letter code)
                          countryName_default          = XXX
                          countryName_min               = 2
                          countryName_max               = 2
                          
                          stateOrProvinceName          = State or Province Name (full name)
                          stateOrProvinceName_default     = SP
                          
                          localityName               = City
                          localityName_default            = XXX
                          
                          0.organizationName          = Organization Name (eg, company)
                          0.organizationName_default     = XXX
                          
                          # we can do this but it is not needed normally :-)
                          #1.organizationName          = Second Organization Name (eg, company)
                          #1.organizationName_default     = World Wide Web Pty Ltd
                          
                          organizationalUnitName          = Organizational Unit Name
                          organizationalUnitName_default     = XXX
                          
                          commonName               = Name
                          commonName_default              = XXX
                          commonName_max               = 64
                          
                          emailAddress               = Email Address
                          emailAddress_max          = 64
                          
                          # SET-ex3               = SET extension number 3
                          
                          [ req_attributes ]
                          challengePassword          = A challenge password
                          challengePassword_min          = 4
                          challengePassword_max          = 20
                          
                          unstructuredName          = An optional company name
                          
                          [ usr_cert ]
                          
                          # These extensions are added when 'ca' signs a request.
                          
                          # This goes against PKIX guidelines but some CAs do it and some software
                          # requires this to avoid interpreting an end user certificate as a CA.
                          
                          basicConstraints=CA:FALSE
                          
                          # Here are some examples of the usage of nsCertType. If it is omitted
                          # the certificate can be used for anything *except* object signing.
                          
                          # This is OK for an SSL server.
                          # nsCertType               = server
                          
                          # For an object signing certificate this would be used.
                          # nsCertType = objsign
                          
                          # For normal client use this is typical
                          # nsCertType = client, email
                          
                          # and for everything including object signing:
                          # nsCertType = client, email, objsign
                          
                          # This is typical in keyUsage for a client certificate.
                          # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
                          
                          # This will be displayed in Netscape's comment listbox.
                          nsComment               = "OpenSSL Generated Certificate"
                          
                          # PKIX recommendations harmless if included in all certificates.
                          subjectKeyIdentifier=hash
                          authorityKeyIdentifier=keyid,issuer
                          
                          # This stuff is for subjectAltName and issuerAltname.
                          # Import the email address.
                          # subjectAltName=email:copy
                          # An alternative to produce certificates that aren't
                          # deprecated according to PKIX.
                          # subjectAltName=email:move
                          
                          # Copy subject details
                          # issuerAltName=issuer:copy
                          
                          #nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
                          #nsBaseUrl
                          #nsRevocationUrl
                          #nsRenewalUrl
                          #nsCaPolicyUrl
                          #nsSslServerName
                          
                          [ v3_req ]
                          
                          # Extensions to add to a certificate request
                          
                          basicConstraints = CA:FALSE
                          keyUsage = nonRepudiation, digitalSignature, keyEncipherment
                          
                          [ v3_ca ]
                          
                          
                          # Extensions for a typical CA
                          
                          
                          # PKIX recommendation.
                          
                          subjectKeyIdentifier=hash
                          
                          authorityKeyIdentifier=keyid:always,issuer:always
                          
                          # This is what PKIX recommends but some broken software chokes on critical
                          # extensions.
                          #basicConstraints = critical,CA:true
                          # So we do this instead.
                          basicConstraints = CA:true
                          
                          # Key usage: this is typical for a CA certificate. However since it will
                          # prevent it being used as an test self-signed certificate it is best
                          # left out by default.
                          # keyUsage = cRLSign, keyCertSign
                          
                          # Some might want this also
                          # nsCertType = sslCA, emailCA
                          
                          # Include email address in subject alt name: another PKIX recommendation
                          # subjectAltName=email:copy
                          # Copy issuer details
                          # issuerAltName=issuer:copy
                          
                          # DER hex encoding of an extension: beware experts only!
                          # obj=DER:02:03
                          # Where 'obj' is a standard or added object
                          # You can even override a supported extension:
                          # basicConstraints= critical, DER:30:03:01:01:FF
                          
                          [ crl_ext ]
                          
                          # CRL extensions.
                          # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
                          
                          # issuerAltName=issuer:copy
                          authorityKeyIdentifier=keyid:always,issuer:always
                          
                          [ proxy_cert_ext ]
                          # These extensions should be added when creating a proxy certificate
                          
                          # This goes against PKIX guidelines but some CAs do it and some software
                          # requires this to avoid interpreting an end user certificate as a CA.
                          
                          basicConstraints=CA:FALSE
                          
                          # Here are some examples of the usage of nsCertType. If it is omitted
                          # the certificate can be used for anything *except* object signing.
                          
                          # This is OK for an SSL server.
                          # nsCertType               = server
                          
                          # For an object signing certificate this would be used.
                          # nsCertType = objsign
                          
                          # For normal client use this is typical
                          # nsCertType = client, email
                          
                          # and for everything including object signing:
                          # nsCertType = client, email, objsign
                          
                          # This is typical in keyUsage for a client certificate.
                          # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
                          
                          # This will be displayed in Netscape's comment listbox.
                          nsComment               = "OpenSSL Generated Certificate"
                          
                          # PKIX recommendations harmless if included in all certificates.
                          subjectKeyIdentifier=hash
                          authorityKeyIdentifier=keyid,issuer:always
                          
                          # This stuff is for subjectAltName and issuerAltname.
                          # Import the email address.
                          # subjectAltName=email:copy
                          # An alternative to produce certificates that aren't
                          # deprecated according to PKIX.
                          # subjectAltName=email:move
                          
                          # Copy subject details
                          # issuerAltName=issuer:copy
                          
                          #nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
                          #nsBaseUrl
                          #nsRevocationUrl
                          #nsRenewalUrl
                          #nsCaPolicyUrl
                          #nsSslServerName
                          
                          # This really needs to be in place for it to be a proxy certificate.
                          proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
                          Just a detail, in your folder, mut to have this folder "test", just because this line:

                          dir          = ./test           # Where everything is kept

                          I hope this helps...

                          :)
                          • 10. Re: Public keys in reply and keystore don't match
                            EJP
                            This procedure works, but when I do the steps in my way, this error appears.
                            So don't do it 'in my way'. Do it the way that works.
                            So, I think the problem is related to archieve openssl.cnf.
                            The problem is obviously whatever is different between your procedure and the one above.

                            I can't detect the relevance of your file to the topic, or to the forum.
                            • 11. Re: Public keys in reply and keystore don't match
                              843811
                              SOLVED. On Windows...

                              %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
                              %JAVA_HOME%\bin\keytool -certreq -alias tomcat -keyalg RSA -file certrequest.csr

                              <issue cert and export ca cert; all as base64>

                              %JAVA_HOME%\bin\keytool -importcert -alias truststore -trustcacerts -file ca.b64.crt
                              %JAVA_HOME%\bin\keytool -importcert -alias tomcat -trustcacerts -file certreply.b64.crt

                              DONE.
                              • 12. Re: Public keys in reply and keystore don't match
                                843811
                                The critical thing is the use of -alias on the import. Without this error is generated - which is NOT at all obvious.
                                • 13. Re: Public keys in reply and keystore don't match
                                  EJP
                                  And which I stated above, 18 months ago.