tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Crypto Sal <crypto....@gmail.com>
Subject Re: Tomcat 5 SSL keytool error: java.lang.Exception: Public key in reply and keystore don't match
Date Wed, 21 Oct 2009 00:40:32 GMT
Nicholas,

You bring up a good point about the alias. It's what I feel most people 
mess up on when installing SSL Certificates to a keystore. If no alias 
is specified upon creation of the keystore, the alias is "mykey". You 
can import ANY certificate you want into the keystore. You don't need 
it's private key. So keytool will act as if nothing is wrong. It's very 
sneaky in this regard.

One can easily see the contents of the keystore: `keytool -keystore 
KEYSTORE_FILE -v -list -storepass PASSWORD > SOMEFILE.TXT ` and one can 
see the alias here if they so forget what they gave it.





Miguel,

In regards to your issue, make sure the CSR and Certificate's modulus 
match. Easiest way is via OpenSSL. Since, you're on CentOS, you probably 
already have this.

`openssl x509 -noout -modulus -in YOUR_CERT.crt | openssl md5` and 
`openssl req -noout -modulus -in YOUR.CSR | openssl md5 `

Compare these two hashes. And if they're different...

`openssl x509 -noout -serial -in YOUR_CERT.crt`, and verify the serial 
number with Network Solutions, your CA  as they might have sent you the 
wrong certificate. Worst comes to worst, you might have to get a 
re-issue and make your keystore and csr have unique matching file names.




On 10/20/2009 12:19 PM, Nicholas Sushkin wrote:
> Miguel,
>
> I just installed a cert using our own CA, had a bit of trouble myself, but
> it worked in the end. I found comodo's and Herong Yang's instructions
> useful. See
>
> http://www.herongyang.com/crypto/OpenSSL_Signing_keytool_CSR.html and
> https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1204
>
> One thing to note is that when you import cert, use the same certificate
> alias as the key's (for example, "-genkey -alias tomcat" followed
> by "-import -trustcacerts -aliast tomcat")
>
>
> On Tuesday 20 October 2009 10:36, Miguel Ortiz wrote:
>
>    
>> I have a tomcat 5 web server setup on CentOS, I am currently working on
>> installing a SSL cert but don't seem to be having any luck. I get the
>> following error:
>>
>> keytool error: java.lang.Exception: Public key in reply and keystore
>> don't match
>>
>> I have reissued the cert through Network Solutions and followed the
>> following instructions to generate and install the cert. I have run out
>> of my patience with them. Is there anything else that I may be missing?
>> Thanks
>>
>> http://www.networksolutions.com/support/csr-for-java-based-webservers-su
>> ch-as-tomcat-using-keytool/
>>
>> http://www.networksolutions.com/support/installation-for-java-based-webs
>> ervers-such-as-tomcat-using-keytool/
>>
>>
>> Miguel
>>      
>
>    


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message