java.lang.Exception: Public keys in reply and keystore don't match

Question

I have to access a webservice hosted at port 443.Service provider has shared three certificate with us.

1. ABCD.cer
2. CA_Certificate.cer
3. CCA_Certi

Answer 1

I had the same exception error (keystore don't match) hosting with Tomcat8. If you have entered a wrong domain name or no domain name while creating your keystore, you will need to re-create your Keystore file again and resubmit your CSR again to your Certification Authority (CA) licensed/recognised/approved to issue Digital Signature Certificates (Godaddy in my case).

Here are the commands to create a keystore file:

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcat.keystore -deststoretype pkcs12

(You need to enter the domain name when the prompt asks for a first and last name, it is requesting the Fully Qualified Domain Name (FDQN) e.g. www.example.com). From the City, State and Province - do not abbreviate

Enter the following command to create the CSR (from the same directory as your tomcat.keystore location):

keytool -certreq -keyalg RSA -alias tomcat -file myFQDN.csr -keystore tomcat.keystore

Note: Because of the previous "keystore don't match" error, I had to delete all my Godaddy certificates from my windows console (MMC).

Once your Certificate files are ready from your Certification Authority. Download the files and double click on each of the 2 .crt files to reinstall them again in windows (Choose automatically install in Local Machine). Make sure you backup your tomcat.keystore file then import these certificate files IN ORDER into your tomcat.keystore file (from scratch) with the same order as the following example:

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file namewithnumbersandletters.crt

Make sure you have updated your server.xml then restart your Tomcat

<Connector port="80" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="443" />  
    <Connector 
    URIEncoding="UTF-8"
    SSLEnabled="true" 
    clientAuth="false"
    keystoreFile="C:\Program Files\Java\jdk1.8.0_181\bin\tomcat.keystore" 
    keystorePass="changeme" 
    maxThreads="200" 
    port="443" 
    scheme="https" 
    secure="true" 
    sslProtocol="TLS" />

Voilà! The Locked icon (Secure Connection) appears when browsing on the domain.