Error importing signed certificate into AutoSys Web Server keystore - keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Article ID: 144719
Updated On:
Products
CA Workload Automation AE - Business Agents (AutoSys)
CA Workload Automation AE - System Agent (AutoSys)
CA Workload Automation AE - Scheduler (AutoSys)
Workload Automation Agent
CA Workload Automation AE
Issue/Introduction
While following the product documentation for customizing SSL for the AutoSys Web Server to use a certificate from a trusted Certificate Authority, an error was received when attempting to import the signed private certificate into the keystore:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Environment
AutoSys 11.3.6 SP8
UNIX
Linux
UNIX
Linux
Cause
In AutoSys 11.3.6 SP8, the keystore for the Web Server was changed to a BCFKS storetype. The error occurs when the signed certificate will not import properly into that storetype.
Resolution
Logon to the AutoSys Web Server machine.
cd to $AUTOUSER/webserver/conf
Backup the existing .keystore file and then remove it.
Create a temporary JKS keystore containing your private key and self-signed certificate...
keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<Web Server Hostname>" -validity 14600
Generate a csr from the temporary keystore...
keytool -certreq -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -file certreq.csr
Request a certificate in PEM format from a certificate authority. Contact the certificate authority that you chose for specific instructions. Obtain the root certificate, any intermediate certificates, and the signed private certificate and place them in $AUTOUSER/webserver/conf on the Web Server machine.
cd back to $AUTOUSER/webserver/conf
Import the root certificate into the temporary keystore...
keytool -importcert -alias RootCA -file root.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Import the any intermediate certificate(s) into the temporary keystore...
keytool -importcert -alias SubCA -file intermediate.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Import the private certificate into the tempoary keystore...
keytool -importcert -trustcacerts -file certificate.cer -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Convert the temporary JKS keystore to a BCFKS keystore with the correct file name that the Web Server will expect...
keytool -importkeystore -srckeystore $AUTOUSER/webserver/conf/.keystore2 -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS
Restart the Web Server.
cd to $AUTOUSER/webserver/conf
Backup the existing .keystore file and then remove it.
Create a temporary JKS keystore containing your private key and self-signed certificate...
keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<Web Server Hostname>" -validity 14600
Generate a csr from the temporary keystore...
keytool -certreq -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -file certreq.csr
Request a certificate in PEM format from a certificate authority. Contact the certificate authority that you chose for specific instructions. Obtain the root certificate, any intermediate certificates, and the signed private certificate and place them in $AUTOUSER/webserver/conf on the Web Server machine.
cd back to $AUTOUSER/webserver/conf
Import the root certificate into the temporary keystore...
keytool -importcert -alias RootCA -file root.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Import the any intermediate certificate(s) into the temporary keystore...
keytool -importcert -alias SubCA -file intermediate.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Import the private certificate into the tempoary keystore...
keytool -importcert -trustcacerts -file certificate.cer -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit
Convert the temporary JKS keystore to a BCFKS keystore with the correct file name that the Web Server will expect...
keytool -importkeystore -srckeystore $AUTOUSER/webserver/conf/.keystore2 -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS
Restart the Web Server.
Feedback
Yes
No
Powered by
