Java keytool doesn't like OpenSSL CSR

Question

I'm trying to use OpenSSL to create a self-signed SSL certificate and then add that certificate to a JKS file (Java keystore) so I can have a Jetty-based web service serve that self-signed certificate to HTTP clients over HTTPS.

I created the OpenSSL self-signed cert:

openssl req -x509 -newkey rsa:4096 -keyout mykey-dev.pem -out mycsr-dev.pem -days 3650

I then created the JKS:

keytool -alias myorg -keyalg RSA -keystore myapp.jks -keysize 2048

I believe I now need to import the CSR ( mycsr-dev.pem ) into the JKS:

keytool -importcert -trustcacerts -file mycsr-dev.pem -alias myorg -keystore myapp.jks

This produces the following error:

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Any idea what the problem is?

Answer 1

openssl create PEM format file, while keytool will jks format.

this is how to convert certificate from pem to jks:

cat cert_public_key.pem cert_private_key.pem | openssl pkcs12 -export -out cert.p12

keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -destkeystore cert.jks

Answer 2

The problem occurred because keytool genkey -alias myorg ... created a keypair and the openssl req command also creates an unrelated keypair. Trying to import the cert from the openssl req command into the JKS keystore under the myorg alias therefore causes a conflict between the two different public keys. If you intend to import a trusted certificate into the keystore then simply do the import under the desired alias, there is no need to create the alias ahead of time with keytool genkey ... .