search cancel

Error importing signed certificate into AutoSys Web Server keystore - keytool error: java.lang.Exception: Public keys in reply and keystore don't match


Article ID: 144719


Updated On:


CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent CA Workload Automation AE


While following the product documentation for customizing SSL for the AutoSys Web Server to use a certificate from a trusted Certificate Authority, an error was received when attempting to import the signed private certificate into the keystore:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match


AutoSys 11.3.6 SP8


In AutoSys 11.3.6 SP8, the keystore for the Web Server was changed to a BCFKS storetype. The error occurs when the signed certificate will not import properly into that storetype.


Logon to the AutoSys Web Server machine.

cd to $AUTOUSER/webserver/conf

Backup the existing .keystore file and then remove it.

Create a temporary JKS keystore containing your private key and self-signed certificate...

keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<Web Server Hostname>" -validity 14600

Generate a csr from the temporary keystore...

keytool -certreq -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit -file certreq.csr

Request a certificate in PEM format from a certificate authority. Contact the certificate authority that you chose for specific instructions. Obtain the root certificate, any intermediate certificates, and the signed private certificate and place them in $AUTOUSER/webserver/conf on the Web Server machine.

cd back to $AUTOUSER/webserver/conf

Import the root certificate into the temporary keystore...

keytool -importcert -alias RootCA -file root.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit

Import the any intermediate certificate(s) into the temporary keystore...

keytool -importcert -alias SubCA -file intermediate.cer -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit

Import the private certificate into the tempoary keystore...

keytool -importcert -trustcacerts -file certificate.cer -alias tomcat -keystore $AUTOUSER/webserver/conf/.keystore2 -storepass changeit

Convert the temporary JKS keystore to a BCFKS keystore with the correct file name that the Web Server will expect...

keytool -importkeystore -srckeystore $AUTOUSER/webserver/conf/.keystore2 -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS

Restart the Web Server.