Hi everybody,
I’m trying to generate a certificate to try on my server. I’ve followed the How To tutorial. I got a free certificate from VeriSign.
But at the step n) I get the following error:
keytool error: java.lang.Exception: Public keys in reply and keystore don’t match
I have tried with the Trial SSL Intermediate CA Certificate and the Trial SSL certificate but same error.
Does this error means that the password I typed is wrong? Because I’m 100% sure it’s the one I used when I have created the keystore! And for the alias as well.
Here are the steps described by VeriSign:
Step 1. Download and install the Trial Root CA Certificate.
Open the link below and follow the steps to install the Root certificate in your internet browser:
https://knowledge.verisign.com/support/ … id=SO10670
Note: You need install the Trial Root CA Certificate on each browser where you will test the certificate.
For real certificates (non-Trial certficates) you DO NOT need to install any certificate in the browsers.
Step 2. Download the Trial SSL Intermediate CA Certificate.
To download the Trial Intermediate CA and install on each Web server you are testing with, go to:
http://www.verisign.com/support/verisig … index.html
IMPORTANT:
You MUST install the VeriSign Trial intermediate on your server together with your Certificate or it will not operate correctly.
If Microsoft IIS 5.0 or above was selected, you DO NOT need to install the intermediate certificate.
Step 3. Install the Intermediate CA and your Trial SSL certificate:
For detailed installation instructions for your Trial SSL Certificate and Intermediate CA, go to:
http://www.verisign.co.uk/support/ssl-c … icate.html
Found it on internet:
I was trying to import the certificate
using an alias name already in use (which I thought was what I was supposed
to do). I changed the alias name, and the cert then imported without a
problem.
Also I have just noticed on a VeriSign help page that they use “root” as alias and apparently it looks compulsory (no <>) ?!
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
Is that what I have to do? The alias don’t have to be the same? ![:roll:]( "Rolling Eyes")
Confirmation that I use the right password and alias:
Using the command: ```
keytool -list -v -keystore keystore.ks
> Enter keystore password:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: agkey
> Creation date: 29-Jul-2009
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> ...
Found another interesting answer on internet:
key mismatch
When adding a new proposal.crt to the keystore I got the following message:
keytool error: java.lang.Exception: Public keys in reply and keystore don’t match
There is a mismatch between the keys with the current keystore and the one contained in the proposal.crt. The are two possible reasons for this (these are assumptions, not proven!)
The public keys are out of date or missing. Best to create a keystore from scratch like shown on this wiki page.
The proposal.crt is created with a different keystore file than the one used last year. Fix this by creating from scratch or create a new proposal.csr with the correct keystore file.
So it would mean that my csr does not contain the same password than my ks? Pffff I need to make a new one and request another trial certificate again ![:x]( "Mad")
I think I have solved the problem. In fact I needed to use root as alias for the intermediate certificate and then my alias for the SSL certificate.
However I think I’m getting the error explained in o)
keytool error: java.lang.Exception: Failed to establish chain from reply
However I can’t find the parents in the .crt files (intermediate and SSL). When I look at the tree there is just one child (my server domain name). And when I look at the file in notepad there is just one part with “----BEGIN CERTIFICATE—” and “—END CERTIFICATE----” and nothing else.
Fixed. I just needed to use different alias for the Root and Intermediate.
Also just after I found this topic ![:oops:]( "Embarassed")
Anyway, now Servoy doesn’t seem to like my certificate. When I try to connect using https nothing happens and with http I get this error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As explained by VeriSign I have installed the Trial Root certificate on the client. Installed the Intermediate and SSL certificate on the server.
I have modified the settings in Servoy admin page and server.xml as explained in the tutorial.
Don’t know what to do ![:(]( "Sad")