Error: "keytool error: java.lang.Exception: Failed to establish chain from reply" when importing signed certificates for DLP Enforce

book

Article ID: 160027

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

When you import signed certificates for the Data Loss Prevention (DLP) Enforce console, you see the error, "keytool error: java.lang.Exception: Failed to establish chain from reply."

Environment

The Certificate Authority (CA) sends you a signed certificate in response to your certificate signing request (CSR). The self-signed certificate must return the root certificate along with the signed certificate.

Resolution

  1. Place the signed certificate into the directory (<drive>\vontu\jre\bin) with the .keystore file.

    If the signed certificate is provided in the body of an email, paste it into a text document exactly as it appears on the screen, including the top and bottom lines:

    -----Begin Certificate-----
    ...
    -----End Certificate-----


    Note: Make sure that no extra lines, spaces, trailing carriage returns, or characters have been inadvertently added, or the file will not work.
     
  2. Import your new root certificate as follows:

    keytool -import -alias root -keystore .keystore -trustcacerts -file <root cert filename>
     
  3. Save this file in the same directory where the .keystore file is located. If the signed certificate is provided as an attachment to an email, copy this file into the same directory where the .keystore file is located.
  4. Use the following command to update the .keystore file with the signed certificate:

    keytool -import -alias tomcat -keystore .keystore -trustcacerts -file <signed certificate filename>

If you see the following error again, you are likely missing an Intermediate Certification Authority (CA) Certificate.

keytool error: java.lang.Exception: Failed to establish chain from reply  

In this case, you need to import the intermediate certifcates as follows:

keytool -import -keystore .keystore -trustcacerts -file <intermediate certificate filename>

For example, as of April 2006, all SSL certificates purchased through the Symantec (formerly VeriSign) Web site require the installation of an Intermediate Certificate Authority (CA) Certificate. The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of your SSL certificates.

Note: This has also been seen to happen where the signed certificate received (from Veri-sign) was in the wrong format (x509 instead of PKCS#7). If so, obtain the correct format for the signed cert, and re-try importing to the .keystore.