Problem
Customer needs to change the shipping Self-signed server certificate for a Certificate Authority signed certificate.
Error Message
Possible errors upon attempting to import the signed certificate if the private key is missing or invalid:
Keytool error: java.lang.Exception: Public keys in reply and keystore don't match
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect.
Cause
Password entered was invalid
Priavate key was not generated prior to the Certificate request being generated
Solution
Folow these steps to properly generate the keys, create a signing request and properly import the signed certificate.
Note: If there is a Certificate Authority (CA) internal to a company or that is untrusted in the environment the administrator will also have to import the chain to reach the CA properly.
1. In a DOS window change the context to the Data Insight <installdir>\jre\bin\ location and run the following:
keytool -genkey -alias portal -keyalg RSA -validity 730 -keysize 1024 -keypass changeit -keystore portal.keystore -storepass changeit -storetype JKS -dname cn=common_name,o=organization_name,ou=organization_unit,l=city,s=state,c=US
2. Create the CSR
keytool -certreq -alias portal -keyalg RSA -keystore portal.keystore -storetype JKS -storepass changeit -file "DataInsight.csr"
3. Sumbit CSR to CA to be signed
4. Backup the newly generated portal.keystore and the signed certificate to an alternate location
5. Confirm the signed certificate is correct. Open a command prompt and run the following command to view the certificate’s fingerprint(s)
keytool -printcert -file signed_certificate_filename
6. If you used an Internal Signing Authority, also view the fingerprint(s) of the root certificate using the same -printcert command.
keytool -printcert -file name_of_root_certificate_provided_by_internal_signature_authority
7. Use the following command to update the portal.keystore file with the root certificate:
keytool.exe -importcert -alias root -file root_certificate_filename -keystore portal.keystore
8. Use the following command to update the portal.keystore file with the intermediary certificate:
keytool.exe -importcert -alias inter -file Issuing_intermediary_certificate_filename -keystore portal.keystore
9. Use the following command to update the portal.keystore file with the signed certificate:
keytool -importcert -alias portal -keystore portal.keystore -trustcacerts -file signed_certificate_filename
Note: The private key must match the signed cert (think lock and key) to be properly entered into the keystore or an error will occur.
10. Move the portal.keystore into the C:\DataInsight\data\keys folder after successfully backing up the original key that was generated upon installation for a rollback option.
11. Restart the DataInsightPortal service
To test log into the portal webserver with a valid custodian assigned to a workflow.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.