Keytool error "Certificate reply does not contain public key" or "Public keys in reply and keystore don't match" when importing new SSL certificate
Summary: Keytool will raise error "Certificate reply does not contain public key" or "Public keys in reply and keystore don't match" when importing a new SSL certificate if trusted full-chain certificates are missing in keystore (root and subordinate CAs) or certificate is not signed from last CSR. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
# keytool -importcert -alias my-alias -keystore my-keystore.jks -trustcacerts -file my-signed-cert.pem
Importing a certificate using keytool produces one of the following errors:
keytool error: java.lang.Exception: Certificate reply does not contain public key for my-alias
keytool error: java.lang.Exception: Public keys in reply and keystore don't matchCause
These errors can have multiple causes but they would mostly be related to:
- using a wrong keystore file
- for externally signed certificate, missing full-chain trusted certificates (root and any subordinate CAs)
- certificate has not been signed from last generated signing request (CSR)
Resolution
Ensure signed certificate, CSR are from the correct keystore (private key) by checking modulus (values must be identical):
# openssl pkcs12 -in my-keystore.jks -nodes -nocerts | openssl rsa -modulus -noout | openssl sha256
...
(stdin)= c46656d2c830cddba552198aa186ba4b13b0623d10d08768442fef28b9a4be4d
# openssl req -noout -modulus -in certreq.txt | openssl sha256
(stdin)= c46656d2c830cddba552198aa186ba4b13b0623d10d08768442fef28b9a4be4d
# openssl x509 -noout -modulus -in signed-cert.pem | openssl sha256
(stdin)= c46656d2c830cddba552198aa186ba4b13b0623d10d08768442fef28b9a4be4d
Ensure Root CA and subordinate certificate(s) are present in keystore:
# keytool -list -keystore my-keystore.jks
Your keystore contains 3 entries
my-alias, Sep 28, 2022, PrivateKeyEntry, ...
rootCA, Sep 28, 2022, trustedCertEntry, ...
intermediateCA, Sep 28, 2022, trustedCertEntry, ...
To import externally signed certificate, the principal steps are:
1/ Generate a private key in a separate keystore file:
# keytool -genkey -alias my-alias -keyalg RSA -keystore my-keystore.jks -storetype pkcs122/ Produce a signing request:
# keytool -certreq -keyalg RSA -alias my-alias -file my-sign-request.csr -keystore my-keystore.jks3/ Get the CSR signed by the external CA.
You would also need all certificates to trust: root & subordinate CA(s). Must be in separate files (using PEM format).
4/ Import the trusted root CA certificate:
# keytool -import -alias rootCA -keystore my-keystore.jks -trustcacerts -file root-CA.pem5/ Import the intermediate certificates:
# keytool -import -alias intermediateCA -keystore my-keystore.jks -trustcacerts -file intermediate-CA.pem
(repeat for all subordinate CAs in the chain of signing, using unique alias name)
6/ Import the signed certificate (using same alias as used in CSR):
6/ Import the signed certificate (using same alias as used in CSR):
# keytool -import -alias my-alias -keystore my-keystore.jks -trustcacerts -file my-signed-cert.pemThis KB is focused on how to properly build a keystore with externally signed SSL certificate using Java keytool utility.
Please refer to documentation for PowerFlex implementation details:
- Security Configuration guide: Certificate management for PowerFlex Gateway
- Customize and Configure PowerFlex: Security
Affected Products
PowerFlex rack, PowerFlex Appliance, PowerFlex custom node, ScaleIO, PowerFlex SoftwareArticle Properties
Article Number: 000206194
Article Type: Solution
Last Modified: 11 Apr 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.