java.lang.Exception:回复中的公钥与密钥库不匹配 [英] java.lang.Exception: Public keys in reply and keystore don't match
问题描述
我必须访问托管在端口 443 的网络服务.服务提供商与我们共享了三个证书.
I have to access a webservice hosted at port 443.Service provider has shared three certificate with us.
- ABCD.cer
- CA_Certificate.cer
- CCA_Certificate.cer
我必须通过为 SSL 通信创建表单链将它们添加到密钥库.我已按照以下步骤操作.
I have to add them to keystore by creating a form chain for the SSL communication.I have followed below steps.
keytool -keystore npci_keystore_test.jks -genkey -alias npci_client_testore
Result :- keystore npci_keystore_test.jks created.
keytool -import -keystore npci_keystore_test.jks -file CA_Certificate.cer -alias theCARoot
Result :- certificate CA_Certificate.cer is added to keystore.
keytool -import -keystore npci_keystore_test.jks -file CCA_Certificate.cer -alias theCCARoot
Result :- certificate CCA_Certificate.cer is added to keystore.
keytool -import -keystore npci_keystore_test.jks -file ABCD.cer -alias npci_client_testore
在第 4 步,我有以下异常
At the step 4 i have below exception
输入密钥库密码:(当我输入密码时,我有以下异常)
Enter keystore password: (and when i enter password i have below exception)
keytool 错误:java.lang.Exception:回复中的公钥与密钥库不匹配
我已经在 SO 中进行了搜索,但到目前为止还没有运气.
I have already done search in SO,but so far no luck.
我正在按照以下来源创建商店并在其中导入证书.JKS 密钥库
I am following below source to create the store and import certificate in it. JKS Keystore
---
我已经通过更改证书的导入顺序对其进行了测试,但到目前为止还没有运气.
I have tested it by changing the import order of certificate,but no luck so far.
推荐答案
您问题中的链接解释了如何为服务器创建 SSL 密钥库,这不是您想要做的.你所做的是:
The link in your question explains how to create an SSL keystore for a server, which is not what you want to do. What you did was:
- 创建一个新的密钥对
- 将可信证书添加到密钥库
- 将另一个受信任的证书添加到密钥库
- 尝试导入服务器的 SSL 证书作为密钥对的证书
第 4 步失败,因为 SSL 证书是为完全不同的密钥对生成的.
Step 4 fails because the SSL certificate was generated for a completely different key pair.
这三个证书大概是:
- Web 服务的 SSL 证书
- 签署 SSL 证书的 CA 证书
- 签署 CA 的根证书
您现在要做的是向您的信任库添加信任锚(默认情况下:${JAVA_HOME}/jre/lib/security/cacerts),结果您的客户接受Web 服务的 SSL 证书.
What you have to do now is to add a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts), with the result that your client accepts the SSL certificate of the webservice.
通常,SSL 服务器在 SSL 握手期间将除根证书之外的整个链发送给客户端.这意味着您必须将根证书添加到您的信任库:
Usually the SSL server sends the whole chain except for the root certificate to the client during SSL handshake. This means that you have to add the root certificate to your truststore:
keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot
如果webservice需要SSL客户端身份验证,则需要额外的步骤,但您从未提到客户端身份验证,因此我认为没有必要.
Additional steps are necessary if the webservice requires SSL client authentication, but you have never mentioned client authentication, so I assume that it is not necessary.
这篇关于java.lang.Exception:回复中的公钥与密钥库不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
