OVD 11g: Importing A Certificate Authority's Signed Certificate Into OVD 11g Keystore Fails with: PKI-04018: User cert does not match pvt key for input alias.
(Doc ID 1599649.1)
Last updated on NOVEMBER 21, 2019
Applies to:Oracle Virtual Directory - Version 18.104.22.168.0 and later
Information in this document applies to any platform.
Oracle Virtual Directory (OVD) 11g, i.e., 22.214.171.124.0.
While configuring for SSL, created a new keystore in Enterprise Manager (EM) Fusion Middleware (FMW) Control console for the newly created OVD component/instance.
Following: How to Configure OVD Listeners From 11g On LDAPS <Document 1210784.1>
Generated a certificate request (CSR) in EM (or command line keytool) and sent to a third party Certificate Authority (CA), got it signed and returned.
When trying to import the signed certificate (user or server cert) via EM or keytool, it fails with:
The error description in different Oracle documentation includes the following details:
Cause: The private key with matching alias did not match the user certificate.
Action: Use a correct alias.
However the correct alias has been doublechecked and is indeed being provided correctly.
The same error occurs with other OVD components/instances and OVD on other systems.
Tried both java versions 1.6_29 and 1.7_15, for both OVD and WLS, but the cert import still fails with the same error.
Tried different java versions, i.e., 1.6_29 and 1.7_15, for both OVD and Weblogic Server (WLS), but the same error is still returned.
An older OVD 10g node/instance is able to import a signed certificate without problems.
So the error occurs only when attempting to import the signed cert to any OVD 11g instance.
As a temporary workaround, able to use the existing certificates from the OVD 10g keystore, but looking for a long term 11g only solution.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document