search cancel

Certificate details differ in PAM Client and the browser


Article ID: 199058


Updated On:


CA Privileged Access Manager (PAM)


When you compare certificate details from the one provided by browser and the one imported in the PAM client, the certificate's serial number is the same but the public key is different. Since it is the same certificate  why is there such a difference ?

See for instance


This is working as designed. It is because the client keystore is based upon the java keystore and so it keeps the certificate in a different format as the browser and, in particular, the public key is represented in a different way




There is no resolution as this is working as designed. However, if one wants to double-check we are talking abut teh same certificate one can follow this procedure:

The CA PAM Client certificates are in the CA PAM Client  directory, in a file called cacerts, so if one know the alias of the certificate one is trying to check (which will show when you open the properties of the certificate in the PAM Client Certificate Store tab) one can do

keytool -list -rfc -keystore cacerts -alias <certificate_alias_here> | openssl x509 -inform pem -pubkey -noout

That uses keytool to export the certificate to a x509 format and then openssl to retrieve the key. It will ask for a password which is blank by default.

If one then exports the certificate from Windows in der format one can do as before

openssl x509 -inform der -pubkey -noout -in <certificate_exported_from_windows_here>

Comparing the keys, both should be the same