Start a new topic

The public key of CA reply does not match the public key of the key entry

waltb @ Fri Jan 02 12:26:46 EET 2015
Trying to install certificate, using wiki page:
http://www.crushftp.com/crush6wiki/Wiki.jsp?page=Portecle

Everything was going well, up until the point:
[i]Now, import the "signed" version of your certificate file using the right click Import CA Reply menu.[/i]

For the password, I didnt read your instructions fully and assumed the password I was being asked for was the keystore password. I know I realize I should have used the "changeit" password but now whenever I try this step I get an error before being prompted for a password of

[i]The public key of CA reply does not match the public key of the key entry[/i]

Of Note:
The certificate provider, zipped 4 files, one of which was named after the domain name I'm looking to certify. That is the file I'm trying to import, not the other 3.


waltb @ Fri Jan 02 12:27:55 EET 2015
Also, I am able to open cacerts using default password in portecle.
spinkb @ Fri Jan 02 12:36:04 EET 2015
You have missed something in the steps.

You started over with a new keystore at some point. So re-sign your keystore again by getting a CSR from the private key, and improving the CA reply.

The CA reply you have now is not for the private key in this keystore...so its useless.

But more importantly...why aren't you using CrushFTP 7? And then why aren't you following the v7 guide?

There is no reason to still be on v6, you may be putting your server at risk if you don't keep things somewhat updated.

Thanks,
Ben
waltb @ Fri Jan 02 12:40:39 EET 2015
Hi Ben,
I am using version 7, I didnt realize that link was for version 6.

I'll start cert process over again. I didnt realize you could do that.

Thanks again,
Walt
spinkb @ Fri Jan 02 12:43:16 EET 2015
OK, because the process is all built in and much easier in v7... :)

--Ben
waltb @ Fri Jan 02 12:53:03 EET 2015
I tried that first and experienced an error so I tried the Portecle route.

I just tried it again, but first I clicked the "Reset to Default" button on the IP Server settings page, to clear out any mess up there might have been.

Generate Key worked ok, but when I click Generate CSR button, I still get this error:

[i]Error:java.io.IOException: Keystore was tampered with, or password was incorrect

ERROR:/C:/Users/JohnDoe/Desktop/Certificate/ftp_domainname_com.jks failed to be generated.[/i]
spinkb @ Fri Jan 02 12:57:43 EET 2015
Is this CrushFTP 7.2?

This error means the password you have in the generate CSR step isn't correct, so it can't open the keystore to generate the CSR>

Re-enter the password ons step 2.

Thanks,
Ben
waltb @ Fri Jan 02 13:43:42 EET 2015
I'm still getting password errors. It feels like something else is wrong. I know the password I'm choosing for my key, I verify it by opening it in Portacle ok.

Is there some way to clean out this instance memory of anything having to do with certificates?

Also I'm in the US, and I noticed some language on your wiki page about export laws and Java. Does that apply?
spinkb @ Fri Jan 02 15:28:11 EET 2015
Just for testing...try keeping the password as something really simple, like "password".

Can you do the whole process that way? We can change it later on using Portecle.

If your using a strong key...yes, you do have the worry bout the export restriction bureaucracy. Its a political nonsense decision from probably 15 years ago? That may in fact be what is causing issues...it can't read the key because it was saved in such a strong format.

So follow the top entry here to get updated policy files installed. (All they literally do is change a piece of text that says you can do keys of unlimited size. Nothing special, just a political decision.

http://www.crushftp.com/crush7wiki/Wiki.jsp?page=FAQ

Thanks,
Ben
waltb @ Fri Jan 02 15:56:13 EET 2015
Thanks for hanging in there with me Ben.

I clicked Generate Key
I typed in appropriate info
I typed in a simple password

I clicked Generate CSR
Enter path and password.
Got Success.
Copied Cert Request to clipboard
Testing Certificate - Cert test successful

Logged into cert provider, copy/pasted new csr request.
Received new files from cert provider

In CrushFTP, Clicked Import Reply
Clicked Browse, chose directory all new certs are now saved to
Enter new "simple" Keystore password
Clicked Browse, selected certificate reply file

Added each trusted certifacate (3 additional)
Clicked Import

Generated error:
Error:java:io.IOException: Keystore was tampered with or password incorrect

Error: /C:/Users/walt/desktop/certs/ftp_domain_com.crt failed to be imported into /c:/users/walt/desktop/certs/ftp_domain_com.jks.


I have not tried downloading and manually installing policy files to Java lib/security folder yet. Perhaps Monday.


waltb @ Fri Jan 02 15:58:06 EET 2015
Oh by the way, within CrushFTP, you have 2 different links for the portecle tutorial

The one in the yellow highlighted section that says Instructions, links to the Crush6 wiki. The one above it, to 7.

Have a good weekend. Happy New Year!
spinkb @ Fri Jan 02 16:09:27 EET 2015
Maybe that is the clue I needed...

Use the prefs, encryption, SSL tab. Do it there instead of on the individual port item...maybe that is the issue?

I've now had the old links removed, missed those.

Thanks,
Ben
Login to post a comment