Keytool error: java.lang.Exception: Public keys in reply and keystore don't match

Hi all,

I followed the instructions here to intsall a cert on my Tomcat 6: Configuring Let's Encrypt with Tomcat 6.x and 7.x

I have Tomcat 6.0.35 on Debian Wheezey.

When running step:
sudo keytool -import -trustcacerts -alias tomcat -file 0000_chain.pem -keystore /usr/share/tomcat7/.keystore

I see:
keytool error: java.lang.Exception: Public keys in reply and keystore don’t match

Do I need to import any of the other generated files by letsencrypt:


Many thanks.

Hi @JeremyColton

A JKS cannot exist without a key and a certificate in it.

You are importing a certificate to an existing key.

You need to convert your key and cert to a PFX and then import that.

A lot of theory here: Tutorial - Java KeyStores (JKS) With Let's Encrypt

How to do the PFX: Certbot and Tomcat - Certificates Obtained but Not Converted to JKS and Configured with Tomcat (FIXED!)


1 Like

I agree with @ahaw021, you can’t store a key from just the public cert.
Your command broken down [my best guess]:
sudo [elevate user]
keytool [execute program]
-import [take import action]
-trustcacerts [trust any CA certs found in the imported key file]
-alias tomcat [friendly name for imported key]
-file 0000_chain.pem [file to import]
-keystore /usr/share/tomcat7/.keystore [where to store the imported file]

So the problem is in the:
-file 0000_chain.pem [file to import]
Which expects a complete key file [containing public and private parts + maybe chain]

Hi @rg305 and @ahaw021,thanks for your replies but I don’t understand. The links that you shared don’t explain where the private key .pem files comes from!

The steps in the original link Configuring Let's Encrypt with Tomcat 6.x and 7.x resulted in 5 files in my folder:

  1. my.keystore (contains private key? how do I export it?)
    2, request.csr (sent to letsencrypt via certbot)

Resulting files from my certbot request:

certbot-auto certonly --csr request.csr

  1. 0000_cert.pem (signed cert?)
  2. 0000_chain.pem (?)
  3. 0001_chain.pem (?)

a) Where is the private key .pem file that I need to combine with my cert to generate a PFX?
b) Is the original link wrong/old?


Do you have a secure web site?
If so, then the private key location would be shown in the configuration in use.

The default letsencrypt location would be something like:

Not if you explicitly used a CSR when obtaining the certificate!

We have little to go by…

Other than this is mostly a “keytool” usage problem - not LE.

Hi @rg305, I followed the steps in the article Configuring Let's Encrypt with Tomcat 6.x and 7.x

I never installed a secure cert on my Tomcat before. The path /etc/letsencrypt/live doesn’t exist. I’m using JDK 7.

It seems the article I followed is simply wrong. If someone at letsencrypt can explain steps from a to z how to install a cert on Tomcat, i’d be eternally grateful…

Following the instructions you followed:
which of these steps failed?
echo " – Build CSR – "
sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/tomcat7/.keystore -storepass "your_pass"
echo " – Request Certificate – "
sudo certbot certonly --csr ./request.csr --standalone
echo " – import Certificate – "
sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /usr/share/tomcat7/.keystore -storepass “your_pass

Hi @rg305,

The 3rd step that you listed regarding importing the cert. results in this error:
keytool error: java.lang.Exception: Public keys in reply and keystore don’t match

The 2nd ‘certbot’ step produces the 3 original files I listed in my first entry in this thread:

No private key as far as I can see. But I read that the private key is placed in my keystore when I ran the step:
/keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/mytomcat//keystore/my.keystore -keysize 2048

Correct? So perhaps I can extract it from the keystore and use it to generate the PFX file which I then import into my key store?

So simple, not :wink:

echo " – import Certificate – "
sudo keytool -import -trustcacerts -alias tomcat -file 0000_chain.pem -keystore /usr/share/tomcat7/.keystore -storepass “your_pass”

1 Like


you let's encrypt live folder should contain the following artifacts if you used certbot without the CSR command

The private key is NOT there for you because it's in your java key store.

The fact that you are getting a mismatch is one of three possibilities

A) You created the CSR from the wrong store
B) You are importing the certificate in to the wrong store
C You are importing the wrong certificate in to your store

I would suggest reading the article below carefully (it explains all the concepts) and following rather than just using the scripts (as you may not be using the syntax correctly)

I know it's your first time working with Tomcat but understanding the concepts is a better investment of time in my opinion than trying lots of different things and hoping one works :smiley:


1 Like


I read the link you provided and it helped. I had 2 issues:

  1. I noticed that the file to import was 0000_cert.pem in the original article that I followed to get HTTPS running. It should be 0001_chain.pem

  2. Also, in Tomcat 6’s server.xml config, it should be “keystoreFile” and “keystorePass”, please note the lower-case “k” in these 2 params.

Many thanks to everyone for your help - amazing service and info! +1000 points to everyone here!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.