keytool error: java.lang.Exception: Public keys in reply and keystore don’t match
There are multiple items which can be the reason of this error. public keys in reply and keystore don’t match can occur if same alias name was used while creating JKS store and while importing the certificate into the store, SSL Certificate was generated for a different key pair, Root CA is missing from the chain or using a wrong fully qualified domain while creating CSR.
Solutions!
1. Same alias name:
The most obvious reason and the one I faced was the same alias name. I created key store and used same alias name while importing the certificate. All you need to do is to just change the alias and hopefully it will solve the issue.
2. SSL Certificate was generated for a different key pair:
- Create a new key pair
- Add a trusted certificate to the keystore
- Add another trusted certificate to the keystore
- Try to import the SSL certificate of the server as a certificate for your key pair
Step 4 fails because the SSL certificate was generated for a completely different key pair.
The three certificates are probably:
- The SSL certificate of the webservice
- The CA certificate that signed the SSL certificate
- The root certificate that signed the CA
What you have to do now is to add a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts
), with the result that your client accepts the SSL certificate of the webservice.
Usually, the SSL server sends the whole chain except for the root certificate to the client during SSL handshake. This means that you have to add the root certificate to your truststore:
keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot
3. Root CA is missing from the chain:
There might be a case that “The root certificate that signed the CA” is missing from the chain. Please check if you have the appropriate ROOT CA certificate otherwise export it from the Intermediate and import it in the keystore. Importing the Root CA into my keystore worked for me.
4. Wrong Domain Name
wrong domain name
or no domain name
while creating your keystore, you will need to re-create your Keystore file again and resubmit your CSR again to your Certification Authority (CA) licensed/recognised/approved to issue Digital Signature Certificates.