Java Certificate Import error

Solution Unverified - Updated

Environment

  • Red Hat Enterprise Linux
  • JBoss Enterprise Application Platform

Issue

  • When trying to import my Certificate from my CA I get the following error. 
    keytool error: java.lang.Exception: Failed to establish chain from reply

Resolution

The error simply means that your certificate is signed by a CA and the certificate you are trying to import into your Certificate Store (keystore) is not trusted.

To resolve this error import the CA certificate and/or other certificates in the chain. 

     keytool -import -trustcacerts -alias root_ca -file ca_cert.crt -keystore keystore.jks

Diagnostic Steps

  • See who the signer of your certificate is (look at the Issuer):
    keytool -printcert -file signed_certificate.crt

    Owner: CN=test, OU=test, O=test, ST=test, C=test
    Issuer: EMAILADDRESS=root@test, CN=test_ca, OU=test, O=test, L=test, ST=test, C=test
    Serial number: 1
    Valid from: Wed Mar XX 12:20:07 EST 20XX until: Sat Apr XX 13:20:07 EDT 20XX
    Certificate fingerprints:
         ...
  • See if the Issuer is in the keystore:
    keytool -list -keystore keystore.jks -v
    Enter keystore password: *********

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: ALIAS
    Creation date: XXX XX, 20XX
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=test, OU=test, O=test, L=test, ST=test, C=test
    Issuer: CN=test, OU=test, O=test, L=test, ST=test, C=test
    Serial number: 21c21671
    Valid from: Wed Mar 06 12:20:52 EST 2013 until: Tue Jun 04 13:20:52 EDT 2013
    Certificate fingerprints:
	 MD5:  B3:CB:52:6D:C2:91:47:67:F1:53:17:1E:2C:40:0C:65
	 SHA1: 85:FF:DB:79:58:77:C5:2C:69:8C:93:41:E7:47:9D:3D:73:24:3C:10
	 SHA256: 8D:10:CA:D2:35:C1:CF:0B:04:AE:E6:AC:97:A3:F6:0C:C7:24:0D:08:99:55:A0:53:2D:E7:A4:56:7E:1D:90:01
	 Signature algorithm name: SHA256withRSA
	 Version: 3

    Extensions: 

    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 20 D5 33 22 D6 22 59 89   86 41 5C 46 B1 1E F7 43   .3"."Y..A\F...C
    0010: 54 63 0B F5                                        Tc..
    ]
    ]

    *******************************************
    *******************************************

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.