When you import signed certificates for the Data Loss Prevention (DLP) Enforce console, you see the error, "keytool error: java.lang.Exception: Failed to establish chain from reply."

The Certificate Authority (CA) sends you a signed certificate in response to your certificate signing request (CSR). The self-signed certificate must return the root certificate along with the signed certificate.

1. Place the signed certificate into the directory (<drive>\vontu\jre\bin) with the .keystore file.
   
   If the signed certificate is provided in the body of an email, paste it into a text document exactly as it appears on the screen, including the top and bottom lines:
   
   -----Begin Certificate-----
...
-----End Certificate-----
   
   Note: Make sure that no extra lines, spaces, trailing carriage returns, or characters have been inadvertently added, or the file will not work.
    
2. Import your new root certificate as follows:
   
   keytool -import -alias root -keystore .keystore -trustcacerts -file <root cert filename>
    
3. Save this file in the same directory where the .keystore file is located. If the signed certificate is provided as an attachment to an email, copy this file into the same directory where the .keystore file is located.
4. Use the following command to update the .keystore file with the signed certificate:
   
   keytool -import -alias tomcat -keystore .keystore -trustcacerts -file <signed certificate filename>

If you see the following error again, you are likely missing an Intermediate Certification Authority (CA) Certificate.

keytool error: java.lang.Exception: Failed to establish chain from reply  

In this case, you need to import the intermediate certificates as follows:

keytool -import -keystore .keystore -trustcacerts -file <intermediate certificate filename>