OVD 11g: Importing A Certificate Authority's Signed Certificate Into OVD 11g Keystore Fails with: PKI-04018: User cert does not match pvt key for input alias. (Doc ID 1599649.1)

Last updated on NOVEMBER 21, 2019

Applies to:

Symptoms

Oracle Virtual Directory (OVD) 11g, i.e., 11.1.1.6.0.

While configuring for SSL, created a new keystore in Enterprise Manager (EM) Fusion Middleware (FMW) Control console for the newly created OVD component/instance.

Following:   How to Configure OVD Listeners From 11g On LDAPS <Document 1210784.1>

Generated a certificate request (CSR) in EM (or command line keytool) and sent to a third party Certificate Authority (CA), got it signed and returned.

When trying to import the signed certificate (user or server cert) via EM or keytool, it fails with:

The error description in different Oracle documentation includes the following details:
   Cause: The private key with matching alias did not match the user certificate.
   Action: Use a correct alias.

However the correct alias has been doublechecked and is indeed being provided correctly.

The same error occurs with other OVD components/instances and OVD on other systems.

Tried both java versions 1.6_29 and 1.7_15, for both OVD and WLS, but the cert import still fails with the same error.

Tried different java versions, i.e., 1.6_29 and 1.7_15, for both OVD and Weblogic Server (WLS), but the same error is still returned.

An older OVD 10g node/instance is able to import a signed certificate without problems.

So the error occurs only when attempting to import the signed cert to any OVD 11g instance.

As a temporary workaround, able to use the existing certificates from the OVD 10g keystore, but looking for a long term 11g only solution.

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.