PRIVILEGED ACCESS MANAGEMENT, all versions
This is working as designed. It is because the client keystore is based upon the java keystore and so it keeps the certificate in a different format as the browser and, in particular, the public key is represented in a different way
There is no resolution as this is working as designed. However, if one wants to double-check we are talking abut teh same certificate one can follow this procedure:
The CA PAM Client certificates are in the CA PAM Client directory, in a file called cacerts, so if one know the alias of the certificate one is trying to check (which will show when you open the properties of the certificate in the PAM Client Certificate Store tab) one can do
keytool -list -rfc -keystore cacerts -alias <certificate_alias_here> | openssl x509 -inform pem -pubkey -noout
That uses keytool to export the certificate to a x509 format and then openssl to retrieve the key. It will ask for a password which is blank by default.
If one then exports the certificate from Windows in der format one can do as before
openssl x509 -inform der -pubkey -noout -in <certificate_exported_from_windows_here>
Comparing the keys, both should be the same