Skip to content

java.lang.Exception: Public keys in reply and keystore don’t match

I have to access a webservice hosted at port 443.Service provider has shared three certificate with us.

  1. ABCD.cer
  2. CA_Certificate.cer
  3. CCA_Certificate.cer

I have to add them to keystore by creating a form chain for the SSL communication.I have followed below steps.

  1. keytool -keystore npci_keystore_test.jks -genkey -alias npci_client_testore

       Result :- keystore npci_keystore_test.jks created.
  2. keytool -import -keystore npci_keystore_test.jks -file CA_Certificate.cer -alias theCARoot

       Result :- certificate CA_Certificate.cer is added to keystore.
  3. keytool -import -keystore npci_keystore_test.jks -file CCA_Certificate.cer -alias theCCARoot

       Result :- certificate CCA_Certificate.cer is added to keystore.
  4. keytool -import -keystore npci_keystore_test.jks -file ABCD.cer -alias npci_client_testore

    At the step 4 i have below exception

    Enter keystore password: (and when i enter password i have below exception)

    keytool error: java.lang.Exception: Public keys in reply and keystore don’t match

I have already done search in SO,but so far no luck.

I am following below source to create the store and import certificate in it. JKS Keystore


I have tested it by changing the import order of certificate,but no luck so far.


The link in your question explains how to create an SSL keystore for a server, which is not what you want to do. What you did was:

  1. Create a new key pair
  2. Add a trusted certificate to the keystore
  3. Add another trusted certificate to the keystore
  4. Try to import the SSL certificate of the server as a certificate for your key pair

Step 4 fails because the SSL certificate was generated for a completely different key pair.

The three certificates are probably:

  1. The SSL certificate of the webservice
  2. The CA certificate that signed the SSL certificate
  3. The root certificate that signed the CA

What you have to do now is to add a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts), with the result that your client accepts the SSL certificate of the webservice.

Usually the SSL server sends the whole chain except for the root certificate to the client during SSL handshake. This means that you have to add the root certificate to your truststore:

keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot

Additional steps are necessary if the webservice requires SSL client authentication, but you have never mentioned client authentication, so I assume that it is not necessary.