We have created the Private Key and exported the CSR and had it signed by our CA.  The signed cert did not include root or intermediate certs along with it, however the customer had these certs and we imported them.

After the root and intermediate certs were imported we tried to import the CSR and we received the error message "keytool error: java.lang.Exception: Failed to establish chain from reply" and the signed CSR refused to be imported.

Spectrum OneClick : ANY

The root and intermediate certs were provided apart of the signed CSR and they were not correct.

The error message "keytool error: java.lang.Exception: Failed to establish chain from reply" is because the signed CSR needs to be attached to the Private Key in the keystore and creates a Certificate Chain from the root to intermediate certs that are already in the keystore.

As these were not the correct root and intermediate certs, no certificate chain could be complete and the signed CSR refused to be attached to the Private Key as no Certificate Chain could be made.

Customer needed to consult further with their security team to get the proper root and intermediate certs and once these were imported, then the signed CSR was imported successfully.

For more information, please see the documentation for Enabling SSL in OneClick here