发表新帖
发表新帖

java.lang.Exception: Public keys in reply and keystore don't match

前端 未结
关注
7 1448
既然无缘
既然无缘 2020-12-14 04:14

I have to access a webservice hosted at port 443.Service provider has shared three certificate with us.

  1. ABCD.cer
  2. CA_Certificate.cer
  3. CCA_Certi
相关标签:
7条回答
  • 忘了有多久
    2020-12-14 04:27

    Similar to @Omikron's answer, I resolved it by adding the TrustedRoot.crt and DigiCertCA.crt files into the jre/lib/security/cacerts keystore. 

    sudo keytool -import -alias ALIAS -file TrustedRoot.crt -storetype JKS -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file DigiCertCA.crt

    I was then able to import the certificate into my own keystore.

    keytool -import -trustcacerts -alias other_alias -file certificate.crt -keystore keystore.jks -keypass "password" -storepass "password1"
    0 讨论(0)
  • 爱一瞬间的悲伤
    2020-12-14 04:34

    In the 4 point (where you are getting error : keytool error: java.lang.Exception: Public keys in reply and keystore don't match) where you are importing the certificate, please change the alias. The alias should not be npci_client_testore as it is already used for alias of keystore.

    0 讨论(0)
  • 天命终不由人
    2020-12-14 04:37

    In my case the "The root certificate that signed the CA" was missing from the chain. Please check if you have the appropriate ROOT CA certificate otherwise export it from the Intermediate and import it in the keystore. Importing the Root CA into my keystore worked for me.

    0 讨论(0)
  • 走了就别回头了
    2020-12-14 04:42

    This worked for me:

    keytool -keystore yourkeystorename -importcert -alias certificatealiasname -file certificatename.cer
    0 讨论(0)
  • 梦毁少年i
    2020-12-14 04:46

    The link in your question explains how to create an SSL keystore for a server, which is not what you want to do. What you did was:

    1. Create a new key pair
    2. Add a trusted certificate to the keystore
    3. Add another trusted certificate to the keystore
    4. Try to import the SSL certificate of the server as a certificate for your key pair

    Step 4 fails because the SSL certificate was generated for a completely different key pair.

    The three certificates are probably:

    1. The SSL certificate of the webservice
    2. The CA certificate that signed the SSL certificate
    3. The root certificate that signed the CA

    What you have to do now is to add a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts), with the result that your client accepts the SSL certificate of the webservice.

    Usually the SSL server sends the whole chain except for the root certificate to the client during SSL handshake. This means that you have to add the root certificate to your truststore:

    keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot

    Additional steps are necessary if the webservice requires SSL client authentication, but you have never mentioned client authentication, so I assume that it is not necessary.

    0 讨论(0)
  • 温柔的废话
    2020-12-14 04:48

    The issue here is the alias you used while importing the certificate which is similar to the one you used while creating the JKS store. Just change the alias and it will solve your issue. The source document [1] needs to be corrected accordingly.

    [1] http://docs.oracle.com/cd/E19509-01/820-3503/ggfgo/index.html

    0 讨论(0)
 看不清?
提交回复
热议问题