I'm trying to use OpenSSL to create a self-signed SSL certificate and then add that certificate to a JKS file (Java keystore) so I can have a Jetty-based web service serve that self-signed certificate to HTTP clients over HTTPS.
I created the OpenSSL self-signed cert:
openssl req -x509 -newkey rsa:4096 -keyout mykey-dev.pem -out mycsr-dev.pem -days 3650
I then created the JKS:
keytool -alias myorg -keyalg RSA -keystore myapp.jks -keysize 2048
I believe I now need to import the CSR (mycsr-dev.pem) into the JKS:
keytool -importcert -trustcacerts -file mycsr-dev.pem -alias myorg -keystore myapp.jks
This produces the following error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Any idea what the problem is?
The problem occurred because keytool genkey -alias myorg ... created a keypair and the openssl req command also creates an unrelated keypair. Trying to import the cert from the openssl req command into the JKS keystore under the myorg alias therefore causes a conflict between the two different public keys. If you intend to import a trusted certificate into the keystore then simply do the import under the desired alias, there is no need to create the alias ahead of time with keytool genkey ....