Nicholas,
You bring up a good point about the alias. It's what I feel most people
mess up on when installing SSL Certificates to a keystore. If no alias
is specified upon creation of the keystore, the alias is "mykey". You
can import ANY certificate you want into the keystore. You don't need
it's private key. So keytool will act as if nothing is wrong. It's very
sneaky in this regard.
One can easily see the contents of the keystore: `keytool -keystore
KEYSTORE_FILE -v -list -storepass PASSWORD > SOMEFILE.TXT ` and one can
see the alias here if they so forget what they gave it.
Miguel,
In regards to your issue, make sure the CSR and Certificate's modulus
match. Easiest way is via OpenSSL. Since, you're on CentOS, you probably
already have this.
`openssl x509 -noout -modulus -in YOUR_CERT.crt | openssl md5` and
`openssl req -noout -modulus -in YOUR.CSR | openssl md5 `
Compare these two hashes. And if they're different...
`openssl x509 -noout -serial -in YOUR_CERT.crt`, and verify the serial
number with Network Solutions, your CA as they might have sent you the
wrong certificate. Worst comes to worst, you might have to get a
re-issue and make your keystore and csr have unique matching file names.
On 10/20/2009 12:19 PM, Nicholas Sushkin wrote:
Miguel,
I just installed a cert using our own CA, had a bit of trouble myself, but
it worked in the end. I found comodo's and Herong Yang's instructions
useful. See
http://www.herongyang.com/crypto/OpenSSL_Signing_keytool_CSR.html and
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1204
One thing to note is that when you import cert, use the same certificate
alias as the key's (for example, "-genkey -alias tomcat" followed
by "-import -trustcacerts -aliast tomcat")
On Tuesday 20 October 2009 10:36, Miguel Ortiz wrote:
I have a tomcat 5 web server setup on CentOS, I am currently working on
installing a SSL cert but don't seem to be having any luck. I get the
following error:
keytool error: java.lang.Exception: Public key in reply and keystore
don't match
I have reissued the cert through Network Solutions and followed the
following instructions to generate and install the cert. I have run out
of my patience with them. Is there anything else that I may be missing?
Thanks
http://www.networksolutions.com/support/csr-for-java-based-webservers-su
ch-as-tomcat-using-keytool/
http://www.networksolutions.com/support/installation-for-java-based-webs
ervers-such-as-tomcat-using-keytool/
Miguel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
