This discussion is archived
5 Replies Latest reply: Apr 27, 2011 6:17 AM by EJP RSS

configure ssl(.p7b) certificate for tomcat

ilkinesrefli Newbie
Currently Being Moderated
Hello everyone,

I have trusted certificate *.p7b* file. I want to configure this for tomcat at linux server. But I have no keystore file for importing, some other keystore file importing impossible, exception throws: keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I am trying to configure like below way:
http://dev.jonova.com/JonovaAdmin/help/ja_help/HTML/servletAdmin/SSLConfiguration.htm




Please help me, how can I solve this problem?

Thanks in advance,
  • 1. Re: configure ssl(.p7b) certificate for tomcat
    EJP Guru
    Currently Being Moderated
    I have no keystore file for importing
    You don't need it. The keytool will create it for you.
    some other keystore file importing impossible
    You're going to have to explain that statement.
    exception throws: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
    So in other words you do have a keystore file already.

    You're going to have to explain what you're doing. It seems to me that the error above can only happen if you are importing a CSR, which is not what you said you are doing.
  • 2. Re: configure ssl(.p7b) certificate for tomcat
    ilkinesrefli Newbie
    Currently Being Moderated
    I have only p7b file, for configuring this first I've created keystore file with
    keytool -genkey -alias tomcat -keyalg RSA -keystore app.keystore
    then I've tried to import
    keytool -import -alias tomcat -v -keystore wic.keystore -file cert.p7b
    but exception throwed
    keytool error: java.lang.Exception: Public keys in reply and keystore don't match

    ----
    I understand from the [url http://dev.jonova.com/JonovaAdmin/help/ja_help/HTML/servletAdmin/SSLConfiguration.htm#RequestCert]link first keystore should be created, then csr file created from keystore file with
    keytool -certreq -keyalg RSA -alias tomcat -file app.csr -keystore app.keystore
    after that this csr file senf for [url http://dev.jonova.com/JonovaAdmin/help/ja_help/HTML/servletAdmin/SSLConfiguration.htm#RequestCert]requesting trusted certificate , finally this trusted certificate(p7b) must be import this keystore file.
  • 3. Re: configure ssl(.p7b) certificate for tomcat
    EJP Guru
    Currently Being Moderated
    I have only p7b file
    Stop right there. You are importing a CA-signed certificate. You can't possibly 'have only [the] p7b file' in this circumstance.
    You must already have the private key and you must already have generated a CSR from it.
    I understand from the [url http://dev.jonova.com/JonovaAdmin/help/ja_help/HTML/servletAdmin/SSLConfiguration.htm#RequestCert]link first keystore should be created, then csr file created from keystore file with
    keytool -certreq -keyalg RSA -alias tomcat -file app.csr -keystore app.keystore
    after that this csr file senf for [url http://dev.jonova.com/JonovaAdmin/help/ja_help/HTML/servletAdmin/SSLConfiguration.htm#RequestCert]requesting trusted certificate , finally this trusted certificate(p7b) must be import this keystore file. Exactly, but you're not doing it in that order. You are starting with the p7b then creating a private key. That's back to front. And the public key of the new private key doesn't match the public key of the signed CSR you are importing, as the exception says. Of course it doesn't.
  • 4. Re: configure ssl(.p7b) certificate for tomcat
    ilkinesrefli Newbie
    Currently Being Moderated
    Yes, you are right. Briefly I haven't got keystore file(because I didn't create this p7b file, somebody sent me for import) of .p7b for import p7b to appropriate keystore.
    In this case what must I do?

    I understand that
    - first I must have keystore file,
    - and then I must generate private key(csr) from this keystore,
    - and then send this private key to CA requesting certificate(p7b),
    - and finally import p7b to above keystore file.
    But now I haven't got appropriate keystore and private key file. :( Is there any solution for this case?
  • 5. Re: configure ssl(.p7b) certificate for tomcat
    EJP Guru
    Currently Being Moderated
    Yes, you are right. Briefly I haven't got keystore file(because I didn't create this p7b file, somebody sent me for import) of .p7b for import p7b to appropriate keystore.
    Most probably it is a trusted certificate for import into your truststore. In which case you just import it, don't create a private key. And designate the resulting file as a truststore, not a keystore.

    Or else 'somebody' doesn't know what they are doing.
    I understand that first I must have keystore file, and then I must generate private key(csr) from this keystore, and then send this private key to CA requesting certificate(p7b), and finally import p7b to above keystore file. But now I haven't got appropriate keystore and private key file. :(
    I there any solution for this case?
    No. The certificate signing process starts with generating a private key. Either you aren't doing that or your colleague doesn't know what he's doing. You have to generate the private key and the CSR and the CA has to sign it. As stated in the link you cited.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points