The link in your question explains how to create an SSL keystore for a server, which is not what you want to do. What you did was:

您问题中的链接解释了如何为服务器创建 SSL 密钥库，这不是您想要做的。你所做的是：

1. Create a new key pair
2. Add a trusted certificate to the keystore
3. Add another trusted certificate to the keystore
4. Try to import the SSL certificate of the server as a certificate for your key pair

1. 创建一个新的密钥对
2. 将可信证书添加到密钥库
3. 将另一个可信证书添加到密钥库
4. 尝试导入服务器的 SSL 证书作为您的密钥对的证书

Step 4 fails because the SSL certificate was generated for a completely different key pair.

步骤 4 失败，因为 SSL 证书是为完全不同的密钥对生成的。

The three certificates are probably:

这三个证书大概是：

1. The SSL certificate of the webservice
2. The CA certificate that signed the SSL certificate
3. The root certificate that signed the CA

1. 网络服务的 SSL 证书
2. 签署 SSL 证书的 CA 证书
3. 签署 CA 的根证书

What you have to do now is to add a trust anchor to your truststore (by default: ${JAVA_HOME}/jre/lib/security/cacerts), with the result that your client accepts the SSL certificate of the webservice.

您现在要做的是将信任锚添加到您的信任库（默认情况下：）${JAVA_HOME}/jre/lib/security/cacerts，结果您的客户端接受 Web 服务的 SSL 证书。

Usually the SSL server sends the whole chain except for the root certificate to the client during SSL handshake. This means that you have to add the root certificate to your truststore:

通常，SSL 服务器在 SSL 握手期间将除根证书之外的整个链发送给客户端。这意味着您必须将根证书添加到您的信任库：

keytool -import -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file CCA_Certificate.cer -alias theCCARoot

Additional steps are necessary if the webservice requires SSL client authentication, but you have never mentioned client authentication, so I assume that it is not necessary.

如果 webservice 需要 SSL 客户端身份验证，则需要额外的步骤，但您从未提到客户端身份验证，因此我认为没有必要。

The issue here is the alias you used while importing the certificate which is similar to the one you used while creating the JKS store. Just change the alias and it will solve your issue. The source document [1] needs to be corrected accordingly.

这里的问题是您在导入证书时使用的别名，它类似于您在创建 JKS 存储时使用的别名。只需更改别名即可解决您的问题。源文件 [1] 需要相应地更正。

[1] http://docs.oracle.com/cd/E19509-01/820-3503/ggfgo/index.html

[1] http://docs.oracle.com/cd/E19509-01/820-3503/ggfgo/index.html

In my case the "The root certificate that signed the CA" was missing from the chain. Please check if you have the appropriate ROOT CA certificate otherwise export it from the Intermediate and import it in the keystore. Importing the Root CA into my keystore worked for me.

在我的情况下，链中缺少“签署 CA 的根证书”。请检查您是否拥有适当的 ROOT CA 证书，否则将其从中间体导出并将其导入密钥库。将根 CA 导入我的密钥库对我有用。

In the 4 point (where you are getting error : keytool error: java.lang.Exception: Public keys in reply and keystore don't match) where you are importing the certificate, please change the alias. The alias should not be npci_client_testore as it is already used for alias of keystore.

在您导入证书的第 4 点（您收到错误：keytool 错误：java.lang.Exception：回复中的公钥和密钥库不匹配）中，请更改别名。别名不应是 npci_client_testore，因为它已用于密钥库的别名。

This worked for me:

这对我有用：

keytool -keystore yourkeystorename -importcert -alias certificatealiasname -file certificatename.cer

I had the same exception error (keystore don't match) hosting with Tomcat8. If you have entered a wrong domain nameor no domain namewhile creating your keystore, you will need to re-create your Keystore file again and resubmit your CSR again to your Certification Authority (CA) licensed/recognised/approved to issue Digital Signature Certificates (Godaddy in my case).

我有同样的异常错误（密钥库不匹配）托管与 Tomcat8。如果您在创建密钥库时输入了wrong domain name或no domain name，则需要再次重新创建您的密钥库文件，并将您的 CSR 再次提交给获得许可/认可/批准颁发数字签名证书的证书颁发机构 (CA)（在我的情况下是 Godaddy） .

Here are the commands to create a keystore file:

以下是创建密钥库文件的命令：

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcat.keystore -deststoretype pkcs12

(You need to enter the domain name when the prompt asks for a first and last name, it is requesting the Fully Qualified Domain Name(FDQN) e.g. www.example.com). From the City, State and Province - do not abbreviate

（当提示要求输入名字和姓氏时，您需要输入域名，它要求的是完全限定域名(FDQN)，例如 www.example.com）。来自市、州和省——do not abbreviate

Enter the following command to create the CSR (from the same directory as your tomcat.keystore location):

输入以下命令以创建 CSR（从与您的 tomcat.keystore 位置相同的目录中）：

keytool -certreq -keyalg RSA -alias tomcat -file myFQDN.csr -keystore tomcat.keystore

Note: Because of the previous "keystore don't match" error, I had to delete all my Godaddy certificates from my windows console (MMC).

注意：由于之前的“密钥库不匹配”错误，我不得不从我的 Windows 控制台 ( MMC) 中删除我所有的 Godaddy 证书。

Once your Certificate files are ready from your Certification Authority. Download the files and double click on each of the 2 .crt files to reinstall them again in windows (Choose automatically install in Local Machine). Make sure you backup your tomcat.keystore file then import these certificate files IN ORDERinto your tomcat.keystore file (from scratch) with the same order as the following example:

一旦您的证书文件从您的证书颁发机构准备就绪。下载文件并双击 2 个 .crt 文件中的每一个以在 Windows 中再次重新安装它们（选择在本地机器中自动安装）。确保备份您的 tomcat.keystore 文件，然后按照与以下示例相同的顺序将这些证书文件按顺序导入您的 tomcat.keystore 文件（从头开始）：

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gdig2.crt.pem
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file namewithnumbersandletters.crt

Make sure you have updated your server.xml then restart your Tomcat

确保您已更新 server.xml，然后重新启动 Tomcat

<Connector port="80" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="443" />  
    <Connector 
    URIEncoding="UTF-8"
    SSLEnabled="true" 
    clientAuth="false"
    keystoreFile="C:\Program Files\Java\jdk1.8.0_181\bin\tomcat.keystore" 
    keystorePass="changeme" 
    maxThreads="200" 
    port="443" 
    scheme="https" 
    secure="true" 
    sslProtocol="TLS" />

Voilà! The Locked icon (Secure Connection) appears when browsing on the domain.

瞧！在域上浏览时会出现锁定图标（安全连接）。

Similar to @Omikron's answer, I resolved it by adding the TrustedRoot.crtand DigiCertCA.crtfiles into the jre/lib/security/cacertskeystore.

与@Omikron 的回答类似，我通过将TrustedRoot.crt和DigiCertCA.crt文件添加到jre/lib/security/cacerts密钥库中来解决它。

sudo keytool -import -alias ALIAS -file TrustedRoot.crt -storetype JKS -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file DigiCertCA.crt

I was then able to import the certificate into my own keystore.

然后我能够将证书导入到我自己的密钥库中。

keytool -import -trustcacerts -alias other_alias -file certificate.crt -keystore keystore.jks -keypass "password" -storepass "password1"