A customer’s SSL certificate expired and a new one needed to be created and sent to Thawte to be signed. On receipt of the signed certificate I found that I was getting CWPKI0662E: Certificate with a public key matching the public key in the certificate from the Certificate Authority is not found in key store “NodeDefaultKeyStore”
I found this odd so I tried again and still it did not work. I couldn’t understand why the keys in the CSR and the certificate from the CA did not match.
To take WebSphere out of the equation I found that openSSL could help and after reading a few blogs I found the following commands allowed me to compare the original CSR with the CA signed certificate.
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
I found that the values returned did not match. I asked for the certificate to be revoked and created a new CSR, sent that to Thawte and a few days later a newly signed certificate was provided which did work.