[Solved] Public keys in reply and Keystore don’t match

keytool error: java.lang.Exception: Public keys in reply and keystore don’t match

There are multiple items which can be the reason of this error. public keys in reply and keystore don’t match can occur if same alias name was used while creating JKS store and while importing the certificate into the store, SSL Certificate was generated for a different key pair, Root CA is missing from the chain or using a wrong fully qualified domain while creating CSR.


1. Same alias name:

The most obvious reason and the one I faced was the same alias name. I created key store and used same alias name while importing the certificate. All you need to do is to just change the alias and hopefully it will solve the issue.

2. SSL Certificate was generated for a different key pair:

  1. Create a new key pair
  2. Add a trusted certificate to the keystore
  3. Add another trusted certificate to the keystore
  4. Try to import the SSL certificate of the server as a certificate for your key pair

Step 4 fails because the SSL certificate was generated for a completely different key pair.

The three certificates are probably:

  1. The SSL certificate of the webservice
  2. The CA certificate that signed the SSL certificate
  3. The root certificate that signed the CA

What you have to do now is to add a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts), with the result that your client accepts the SSL certificate of the webservice.

Usually, the SSL server sends the whole chain except for the root certificate to the client during SSL handshake. This means that you have to add the root certificate to your truststore:

keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot

3. Root CA is missing from the chain:

There might be a case that “The root certificate that signed the CA” is missing from the chain. Please check if you have the appropriate ROOT CA certificate otherwise export it from the Intermediate and import it in the keystore. Importing the Root CA into my keystore worked for me.

4. Wrong Domain Name

The exception (keystore don’t match) can occur while hosting with Tomcat8 if you have entered a wrong domain name or no domain name while creating your keystore, you will need to re-create your Keystore file again and resubmit your CSR again to your Certification Authority (CA) licensed/recognised/approved to issue Digital Signature Certificates.

Azhar Ali Buttar has 20 years of experience working in different domains within IT industry. From network protocols to server hardening, he knows about multiple areas and has been working side by side with MNCs to provide cost-effective security and infrastructure solutions. Azhar’s expertise lies in off-site and hybrid infrastructure deployment using multiple platforms which includes, but not limited to, Azure, AWS, Google and Private Clouds. He has also been leading several infrastructure and security teams to deploy and perform security optimization in multiple projects, and now leads Nocastra with his decision-making and client-oriented skills.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.