• Register
0 votes

Problem :

I am getting bellow error while using keytool

keytool error: java.lang.exception: public keys in reply and keystore don't match

6.9k points
edited by

Please log in or register to answer this question.

2 Answers

0 votes


The three certificates that we need to look at are probably:

  1. The SSL cert of the web service
  2. The CA cert that signed by the SSL cert
  3. The root cert that signed the CA

now you need  to add a trust anchor to your truststore by default: ${JAVA_HOME}/jre/lib/security/cacerts), with this result your client accepts the SSL certificate of the webservice.

Now you need to add the root certificate to your truststore:

keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot

Further Readings:


38.6k points
edited by
0 votes


The link in your question interprets how to make an SSL keystore for a server, which is not what you want to do. What you did was:

  1. Create a new key pair
  2. Add a trusted certificate to the keystore
  3. Add another trusted certificate to the keystore
  4. Attempt to import the SSL certificate of the server as a certificate for your key pair

Step 4 fails cause the SSL certificate was generated for a fully different key pair.

The three certificates are probably:

  1. The SSL certificate of the webservice
  2. The CA certificate that signed the SSL certificate
  3. The root certificate that signed the CA

What you have to do now is to include a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts), with the result that your client accepts the SSL certificate of the webservice.

Generally the SSL server sends the whole chain except for the origin certificate to the client during SSL handshake. This refers that you have to include the origin certificate to your truststore:

keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot

More steps are essential in case the webservice needs SSL client authentication, however you have never mentioned client authentication, so I pretend that it is not essential.

The reason here is the alias you applied while importing the certificate which is corresponding to the one you applied while making the JKS store. Only change the alias and it will solve your problem. The source document  requires to be reformed accordingly.

In the 4 point (keytool error: java.lang.Exception: Public keys in reply and keystore don't match) where you are importing the certificate, please alter the alias. The alias must not be npci_client_testore as it is formerly applied for alias of keystore.

In my instance the "The origin certificate that signed the CA" was missing from the chain. Please check in case you have the adequate ROOT CA certificate otherwise export it from the Intermediate and then  import it in the keystore. Importing the origin CA into my keystore performed for me.

we had the same exception error hosting with Tomcat8. In case you have entered a wrong domain name or no domain name while making your keystore, you will require to re-create your Keystore file again and resubmit your CSR again to your Certification Authority (CA) licensed/recognised/approved to issue Digital Signature Certificates (Godaddy in my case).

Here are the commands to make a keystore file:

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcat.keystore -deststoretype pkcs12

You require to enter the domain name when the prompt asks for a first and last name, it is requesting the Fully Qualified Domain Name (FDQN) . From the City, State and Province - do not abbreviate

Enter the following command to make the CSR (from the same directory as your tomcat.keystore location):

keytool -certreq -keyalg RSA -alias tomcat -file myFQDN.csr -keystore tomcat.keystore

Note: Cause of the previous "keystore don't match" error, we had to delete all my Godaddy certificates from my windows console (MMC).

Once your Certificate files are prepared from your Certification Authority. Then download the files and double click on each of the 2 .crt files to re-install them freshly in windows (select automatically install in Local Machine). Ensure that you have backup your tomcat.keystore file then import these certificate files in order into your tomcat.keystore file  with the same order as the following example:

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file namewithnumbersandletters.crt

Ensure that you have updated your server.xml then restart your Tomcat

<Connector port="80" protocol="HTTP/1.1"
            redirectPort="443" />  
    keystoreFile="C:\Program Files\Java\jdk1.8.0_181\bin\tomcat.keystore" 
    sslProtocol="TLS" />

The Locked icon  arrives when browsing on the domain.

Remember your private key was in the keystore you accidently deleted. Public and private key should match, you cannot make one without the other.

The CSR has trifles regarding your public key. It is signed by an certificate authority , and bundle it in a certificate. The private key is not sent to the certificate authority.

Therefore in case you originated a fresh private-public key pair since deleting the original keystore, the public key you now have is not the one in the certificate you received. Nevertheless in case there was a way to force the public key in there, the cryptography would not perform.

This time you  have two choices :

  • Restore a backup and receive the old keystore back

  • Create a new request

1. Firstly, employing keytool utility have exported the private key

keytool -v -importkeystore -srckeystore keystorefile.jks -srcalias alias -destkeystore exportedfilefile.p12 -deststoretype PKCS12

openssl pkcs12 -in exportedfilefile.p12 -nocerts -nodes
  1. Secondly employing open ssl , exported the .pfx file employing the privatekey and .cert (servercertificate).

openssl pkcs12 -export -out exportedfilename.pfx -inkey  privatekey -in servercertificate.crt


31.7k points
edited by