Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Can't import an OpenSSL signed cert into a JKS using keytool

user13378168Feb 11 2011 — edited Feb 14 2011
Hey everyone,

*[Update]* When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server?

I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system. Any help would be greatly appreciated.

I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.

For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Am I doing something wrong in this whole process?

1) Generate the Private Key for the CA server
openssl genrsa -out CA.key -des 2048

2) Generate the CSR on the CA
openssl req -new -key CA.key -out CA.csr

3) Sign the new CSR so that it can be used as the root certificate
openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf

4) On server1, create Server Private Key KeyStore
keytool -genkey -alias server1 -keysize 2048 -keyalg RSA -keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"

5) On server1, create a CSR from the recently created Private Key
keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr

6) Transfer the CSR over to the CA (server1) so that it can be signed
openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf

7) Transfer CA Public Cert to server1 and Import into keytool
keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks

8) Import recently signed CSR to app server keystore (This is where I receive the error)
keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks

Thanks!

Edited by: user13378168 on Feb 11, 2011 2:03 PM
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Mar 11 2011
Added on Feb 11 2011
#cryptography, #import, #security, #ssl
4 comments
1,859 views