keytool error: java.lang.Exception: Failed to establish chain from reply

Question

Generate keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore my.keystore -keysize 2048

Generate certificate signing request (CSR)

Answer 1

I struggled with the same problem for about two weeks until I found a way around it. The problems was that the root and intermediate certificates that came with my certificate from Godaddy were not the ones I needed. I looked many times in Godaddy's repository unable to find the suitable certificates.

I viewed my certificate on my laptop (using Windows 8.1). There I saw the certificate chain, and I was able to export the root and intermediate certificates. Then I imported them to my keystore and it worked as it should.

To do this follow this instructions:

1. View your certificate on a computer running Windows. You will be able to see the certificate chain on the third tab that looks as the following image.

2. Select the root certificate from the chain and click on the button "View Certificate".

3. A new window opens, go to the second tab and click on the "Save File" button. This opens an export wizard for your ceritficate.
4. When exporting, select the X.509 base 64 option and follow the instructions. Save the file.
5. Repeat for the intermediate certificate.
6. Upload both certificates to your server and import into the keystore following the order - first root, second intermediate and finally your certificate. [It's not necessary to import the root certificate]

NOTE: Before I imported those certificates, I had to delete the ones that were on my keystore and were not working. To do so, I used the following instructions:

keytool -delete -alias [root] -keystore [keystore file]

If you are not sure what is inside your keytool, you can view by using:

keytool -list -keystore [keystore file]

Answer 2

I got same error when trying to import CA certified certificates in to the keystore, in a Linux environment.

I followed set of steps and imported it successfully.

After receiving CA certified certificates, use the following steps to import the certificates into the keystore.

step 1:

Import root certificate to cacerts which will be available at JAVA_HOME/jre/lib/security folder using following command:

keytool -importcert -alias root -file [root certificate] -keystore cacerts

Once you enter above command it will prompt for password, enter password and click on yes.

step 2:

Import root certificate using following command:

keytool -importcert -alias root -file [root certificate] -keystore [keystore file name]

Once you enter above command it will prompt for password, enter password and click on yes.

step 3:

Import intermediate certificate using following command :

keytool -importcert -alias intermediate -file [intermediate certificate] -keystore [key store file name]

once you enter above command it will prompt for replacing the already certificate enter yes.

Note: intermediate certificate is optional can be ignored, it comes with the root certificate.

step 4:

Import site certificate using following command:

keytool -trustcacerts -importcert -alias [alias name which give during keystore creation] -file [site certificate] -keystore [key store file name]

Environment executed this commands are java version 7. certificate are issued by GODADDY.

for more information refer site : http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html#importCertCmd

Answer 3

To resolve this issue, use an extra switch (-trustcacerts) in the keytool commands.

The command to import intermediate certificates from the intermediate.cer file to the certificates.ks keystore file should look like this:

keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias intermediate -trustcacerts -file intermediate.cer

The command to import the certificate from the http.cer file to the certificates.ks keystore file should look like this:

keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias http -trustcacerts -file http.cer

Re-attempt to complete the creation and importing process of a signed SSL Certificate.

Answer 4

Download certificate chain, open it on Windows - it stores CA certificate and your certificate answer from CA.

First import CA cert to your keystore and then import answer from CA.

Answer 5

The following step is very important before importing the certs into your local key store. After receiving the signed certs from CA).

import root certificate to cacerts which will be available at JAVA_HOME/jre/lib/security folder using following command:

keytool -importcert -alias root -file [root certificate] -keystore cacerts once you enter above command it will prompt for password, enter password and click on yes.

Answer 6

I've just discovered that the files godaddy supplied with my certificate are both intermediate certificates (in fact they seem to both be the same intermediate certificate).

I got the correct root and intermediate certificates by double clicking on my certificate and looking at the certificate path... from here I could also download each of these certificates and use the steps used in the question to import them