OVD 11g: Importing A Certificate Authority's (e.g., Comodo CA) Signed Certificate Into OVD 11g Keystore Fails with: PKI-04018: User cert does not match pvt key for input alias.
(Doc ID 1599649.1)
Last updated on FEBRUARY 15, 2018
Applies to:Oracle Virtual Directory - Version 126.96.36.199 and later
Information in this document applies to any platform.
Oracle Virtual Directory (OVD) 11g, i.e., 188.8.131.52.0.
While configuring for SSL, created a new keystore in Enterprise Manager (EM) Fusion Middleware (FMW) Control console for the newly created OVD component/instance.
Following: How to Configure OVD Listeners From 11g On LDAPS <Document 1210784.1>
Generated a certificate request (CSR) in EM (or command line keytool) and sent to a third party Certificate Authority (CA), i.e., Comodo CA, got it signed and returned.
When trying to import the signed certificate (user or server cert) via EM or keytool, it fails with:
The error description in different Oracle documentation includes the following details:
Cause: The private key with matching alias did not match the user certificate.
Action: Use a correct alias.
However the correct alias has been doublechecked and is indeed being provided correctly.
The same error occurs with other OVD components/instances and OVD on other systems.
Tried both java versions 1.6_29 and 1.7_15, for both OVD and WLS, but the cert import still fails with the same error.
Tried different java versions, i.e., 1.6_29 and 1.7_15, for both OVD and Weblogic Server (WLS), but the same error is still returned.
An older OVD 10g node/instance is able to import a Comodo CA-signed certificate without problems.
So the error occurs only when attempting to import the Comodo-signed cert to any OVD 11g instance.
As a temporary workaround, able to use the existing certificates from the OVD 10g keystore, but looking for a long term 11g only solution.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document