Following instructions in Admin Guide, and in KB, an attempt has been made to establish a 3rd party certificate for the Enforce UI.
But the following error appears when running the last step (importing the CA back into the original keystore file in tomcat, as per KB TECH221433
keytool -import -alias tomcat -keystore .keystore -trustcacerts -storepass protect -file enforce.cer
"public keys in reply and keystore don't match"
This resulted from a mismatch between the hash of the requested cert, and the originally generated (signed) certificate.
This means the details in the Private key (original to the self-signed certificate created as per the instructions in KB TECH221433) do not match the Public Key for which the customer's CA cert has been created.
-dname "cN=enforce.dlpsupport.test, O=Symantec, Ou=DLP Support, L=Springfield, S=OR, C=US"
Ensure that CSR includes correct details for the certificate - matching the company name exactly, otherwise the handshake will show a different size of the request when matched to the signed certificate: e.g., appending "LLC" to the company name is enough to change the result.
In this case, it is necessary to recreate the self-signed certificate as per instructions in KB TECH221433 and ensure that the -dname parameters match exactly those for which the certificate request is being made. Note that there is an attachment to KB TECH221433 which gives examples of the steps required.