When you import signed certificates for the Data Loss Prevention (DLP) Enforce console, you see the error, "keytool error: java.lang.Exception: Failed to establish chain from reply."
The Certificate Authority (CA) sends you a signed certificate in response to your certificate signing request (CSR). The self-signed certificate must return the root certificate along with the signed certificate.
-----Begin Certificate-----
...
-----End Certificate-----
keytool -import -alias root -keystore .keystore -trustcacerts -file <root cert filename>
keytool -import -alias tomcat -keystore .keystore -trustcacerts -file <signed certificate filename>
If you see the following error again, you are likely missing an Intermediate Certification Authority (CA) Certificate.
keytool error: java.lang.Exception: Failed to establish chain from reply
In this case, you need to import the intermediate certifcates as follows:
keytool -import -keystore .keystore -trustcacerts -file <intermediate certificate filename>
For example, as of April 2006, all SSL certificates purchased through the Symantec (formerly VeriSign) Web site require the installation of an Intermediate Certificate Authority (CA) Certificate. The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of your SSL certificates.
Note: This has also been seen to happen where the signed certificate received (from Veri-sign) was in the wrong format (x509 instead of PKCS#7). If so, obtain the correct format for the signed cert, and re-try importing to the .keystore.