Error importing signed certificate into AutoSys Web Server keystore - keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Article ID: 144719
Updated On:
Products
CA Workload Automation AE - Business Agents (AutoSys)
CA Workload Automation AE - System Agent (AutoSys)
CA Workload Automation AE - Scheduler (AutoSys)
CA Workload Automation Agent
CA Workload Automation AE
Issue/Introduction
While following the product documentation for customizing SSL for the AutoSys Web Server to use a certificate from a trusted Certificate Authority, an error was received when attempting to import the signed private certificate into the keystore...
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Cause
In AutoSys 11.3.6 SP8, the keystore for the Web Server was changed to a BCFKS storetype. The error occurs when the signed certificate will not import properly into that storetype.
Environment
AutoSys 11.3.6 SP8
UNIX
Linux
UNIX
Linux
Resolution
Logon to the AutoSys Web Server machine.
cd to $AUTOUSER/webserver/conf
Backup the existing .keystore file and then remove it.
Create a temporary JKS keystore containing your private key and self-signed certificate...
keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<Web Server Hostname>" -validity 14600
Generate a csr from the temporary keystore...
keytool -certreq -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -file certreq.csr
Request a certificate in PEM format from a certificate authority. Contact the certificate authority that you chose for specific instructions. Obtain the root certificate, any intermediate certificates, and the signed private certificate and place them in $AUTOUSER/webserver/conf on the Web Server machine.
cd back to $AUTOUSER/webserver/conf
Import the root certificate into the temporary keystore...
keytool -importcert -alias RootCA -file root.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Import the any intermediate certificate(s) into the temporary keystore...
keytool -importcert -alias SubCA -file intermediate.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Import the private certificate into the tempoary keystore...
keytool -importcert -trustcacerts -file certificate.cer -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Convert the temporary JKS keystore to a BCFKS keystore with the correct file name that the Web Server will expect...
keytool -importkeystore -srckeystore $AUTOUSER/webserver/conf/.keystore2 -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS
Restart the Web Server.
cd to $AUTOUSER/webserver/conf
Backup the existing .keystore file and then remove it.
Create a temporary JKS keystore containing your private key and self-signed certificate...
keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<Web Server Hostname>" -validity 14600
Generate a csr from the temporary keystore...
keytool -certreq -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -file certreq.csr
Request a certificate in PEM format from a certificate authority. Contact the certificate authority that you chose for specific instructions. Obtain the root certificate, any intermediate certificates, and the signed private certificate and place them in $AUTOUSER/webserver/conf on the Web Server machine.
cd back to $AUTOUSER/webserver/conf
Import the root certificate into the temporary keystore...
keytool -importcert -alias RootCA -file root.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Import the any intermediate certificate(s) into the temporary keystore...
keytool -importcert -alias SubCA -file intermediate.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Import the private certificate into the tempoary keystore...
keytool -importcert -trustcacerts -file certificate.cer -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Convert the temporary JKS keystore to a BCFKS keystore with the correct file name that the Web Server will expect...
keytool -importkeystore -srckeystore $AUTOUSER/webserver/conf/.keystore2 -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS
Restart the Web Server.
Feedback
Yes
No
Powered by
