How To
Summary
Public keys in reply and keystore don't match when a certificate is imported in to IBM SOAR
Steps
Symptom
This error is seen importing an SSL certificate in to IBM SOAR.
"keytool error: java.lang.Exception: Public keys in reply and keystore don't match"
Cause
The error "keytool error: java.lang.Exception: Public keys in reply and keystore don't match" means the certificate you used has a different public key to the "/crypt/certs/keystore" file in IBM SOAR.
Troubleshooting
1) Check the certificate to ensure it has the correct contents of CN and DNS that match the IBM SOAR server.
If the certificate is in the .cer format, convert it into .pem first
openssl x509 -inform der -in new.cer -out cert.pem
openssl x509 -in cert.pem -text -noout
2) Print the md5 hash of the SSL Certificate modulus:
openssl x509 -noout -modulus -in CERTIFICATE.crt | openssl md5
Print the md5 hash of the CSR modulus:
openssl req -noout -modulus -in CSR.csr | openssl md5
If you have the private key, print the md5 hash of the Private Key modulus:
openssl rsa -noout -modulus -in PRIVATEKEY.key | openssl md5
Solution
To fix the problem, you can try one of the following methods.
1. If you have a private key and a root CA certificate with the PEM file, you can create a p12 certificate. Follow Importing a PEM certificate with private key for further instructions.
2. If you don't have a private key, you need to follow the steps in the heading "SSL certificates" in the IBM SOAR documentation to create a new certificate signing request (CSR)
sudo cert-req
Send the generated CSR file to a certificate authority (CA). Once a new certificate is issued by CA, you can import it in to IBM SOAR
sudo cert-import <cert-file>
3. If your certificates are in pem or p7b format, you can follow the instructions in Importing the certificate chain or a p7b certificate
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
04 August 2021
UID
ibm11161736