Error importing signed certificate into AutoSys Web Server keystore - keytool error: java.lang.Exception: Public keys in reply and keystore don't match

book

Article ID: 144719

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation Agent CA Workload Automation AE

Issue/Introduction

While following the product documentation for customizing SSL for the AutoSys Web Server to use a certificate from a trusted Certificate Authority, an error was received when attempting to import the signed private certificate into the keystore...

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Cause

In AutoSys 11.3.6 SP8, the keystore for the Web Server was changed to a BCFKS storetype. The error occurs when the signed certificate will not import properly into that storetype.

Environment

AutoSys 11.3.6 SP8
UNIX
Linux

Resolution

Logon to the AutoSys Web Server machine.

cd to $AUTOUSER/webserver/conf

Backup the existing .keystore file and then remove it.

Create a temporary JKS keystore containing your private key and self-signed certificate...

keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<Web Server Hostname>" -validity 14600

Generate a csr from the temporary keystore...

keytool -certreq -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -file certreq.csr

Request a certificate in PEM format from a certificate authority. Contact the certificate authority that you chose for specific instructions. Obtain the root certificate, any intermediate certificates, and the signed private certificate and place them in $AUTOUSER/webserver/conf on the Web Server machine.

cd back to $AUTOUSER/webserver/conf

Import the root certificate into the temporary keystore...

keytool -importcert -alias RootCA -file root.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit

Import the any intermediate certificate(s) into the temporary keystore...

keytool -importcert -alias SubCA -file intermediate.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit

Import the private certificate into the tempoary keystore...

keytool -importcert -trustcacerts -file certificate.cer -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit

Convert the temporary JKS keystore to a BCFKS keystore with the correct file name that the Web Server will expect...

keytool -importkeystore -srckeystore $AUTOUSER/webserver/conf/.keystore2 -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS

Restart the Web Server.