Hey everyone,

[Update] When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server? Am I just completely off base? Sorry, I'm a bit of a newb with the SSL pieces.

I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system. Any help would be greatly appreciated.

I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.

For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Am I doing something wrong in this whole process?

1) Generate the Private Key for the CA server
openssl genrsa -out CA.key -des 2048

2) Generate the CSR on the CA
openssl req -new -key CA.key -out CA.csr

3) Sign the new CSR so that it can be used as the root certificate
openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf

4) On server1, create Server Private Key KeyStore
keytool -genkey -alias server1 -keysize 2048 -keyalg RSA -keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"

5) On server1, create a CSR from the recently created Private Key
keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr

6) Transfer the CSR over to the CA (server1) so that it can be signed
openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf

7) Transfer CA Public Cert to server1 and Import into keytool
keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks

8) Import recently signed CSR to app server keystore (This is where I receive the error)
keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks

Thanks!

I got it! Before anything though, it looks like I also didn't need the "-trustcacerts" parameter in step 8 as I was not trying to import a trusted CA certificate. That was done in Step 7. It still produced the same problem afterwards, so that particular parameter, though incorrect, was not the issue.

Here's how I resolved it after correcting step 8...

1) Going back to the CA server I went and looked at the server1.pem that was produced. I tried to validate it against the CA's certificate

openssl verify -CAFile CA.pem server1.pem
server1.pem: /C=REDACTED/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=server1.domain.com
error 18 at 0 depth lookup:self signed certificate
OK

Seemed to be a clear indication that the certificate was not properly signed by OpenSSL.

2) I tried signing it using a different command I found here: http://www.dylanbeattie.net/docs/ope...ssl_howto.html

I received a much different set of responses from OpenSSL including

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

3) I tried my validate command again and got a plain "OK"

4) I now tried to import this new server1.pem using the keytool command and actually got the following error:

keytool error: java.security.cert.CertificateParsingException: invalid
DER-encoded certificate data

5) When I looked at the file it seems that OpenSSL had added quite a bit of extra certificate information to the file. I deleted everything up to (but not including) the -----BEGIN CERTIFICATE----- line and tried the import one more time and it imported successfully!