• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Failed to establish chain problem

 
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I created a keystore through the use of keytool.
I then created a .csr request file through keytool.
I then went to the Thawte site and pasted in the data from the .csr file in order to get a temp. certificate from Thawte.
I then cut the certificate data generated from Thawte and pasted into a notepad file .cer.
I tried to import this .cer file into the keystore I created.
I kept having this error: keytool error: java.lang.Exception: Failed to establish chain from reply
I then obtained Thawte's own public certificate and saved theat in a .cer file, and imported it into IE6 through tool>internet options>content>Certificates>other People and then export it in other format so that I can import the Thawte's own cert. as trusted certificate into my keystore. This import worked. But the initial import continued to have the failed to eastablich chain problem.
Please can someone give me some ideas?
Thanks in advance!
 
Ranch Hand
Posts: 214
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hej,
I remember having this problem, but I can't remember what I did to fix it
Here's a couple of things you could try.
a) Check jre/lib/security/cacerts... keytool -list -v -keystore cacerts contains thawte's cert. Putting into your local keystore shouldn't be necessary.
b) If using jdk1.4, try installing the unlimited jurisdiction policy files.
L
 
Rob Chung
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Lewin,
Thank you very much for your quick reply.
I did checked that Thawte is one of the trusted entried in my cacerts file. But because I kept having the chain problem, I thought its worth a try to put that into my keystore (which didn't help to solve my problem anyway).
I am using 1.4. Will look into the unlimited jurisdiction policy files now.
 
Rob Chung
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have tried the jurisdiction jar files. Still same error.
Please do post more ideas if any come up.
Thanks!
 
Rob Chung
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Any more ideas please?
Thanks in advance!
 
Lewin Chan
Ranch Hand
Posts: 214
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is the file that you have in pasted into notepad in a format something along the lines of

I'm not sure that keytool understands PEM format (at least it didn't in 1.3), so you may have to convert it into a DER/CER format using something like openssl
L
 
Rob Chung
Ranch Hand
Posts: 46
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for replying.
The public cert. I got was :
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIDRCYnMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa
QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU
VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww
GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAzMDExMzEzNTUxMloXDTAz
MDIwMzEzNTUxMlowbDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0G
A1UEBxMGTG9uZG9uMRIwEAYDVQQKEwlQcm9jQ3liZXIxEjAQBgNVBAsTCVByb2ND
eWJlcjETMBEGA1UEAxMKSGVsZW4gU2h1bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAwEhoUIJZfYgRtWzRjNfAozJd+yvNPoWUYXvPVWUzDC9qGjV+f+iEw7+3
7D0TYTrDVaYbMcnrttJCmANr2Du9QpzNVYRtle5I0Gs5lHwz+Y31815q9WFVO9JE
SdfCrY0afO0CVVBBvCR9A0/pfK3vivtKM/vLAJE064x6HbQ9og0CAwEAAaMlMCMw
EwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQAIwkV2bx4RsnHJR/OTsj/K7eHkPMfMzAaKcE7XMavFvw02JbMRaQuujdU9
27Nu3y5GrfLqLlk9tuSJor3YE/q4VkUOFs/Qq9iEhPIm3NIYrHpckh4hYsqxfeFK
PLrdYpl6sKnpX83wgRvsZZrvx8xrvBHWToV8ZWdCV23sMd/NEQ==
-----END CERTIFICATE-----
I did convert it to other formats through the use of IE6, Tool>Internet Options>Content to import the certificate and export it as other format, then tried importing this converted-format cert. into my keystore. I still have the same error.
I searched the net for days and am still stuck with this same error.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I took the following steps and succeeded in this matter:
1. created a keystore using keytool: "keytool -genkey -alias www.mysite.com -keyalg RSA -keysize 1024 -keystore key.store"
2. created a certificate signing request(.CSR): "keytool -certreq -alias www.mysite.com -file mysite.csr –keystore key.store" and sent it to Thawte.
3. Imported the received (from Thawte) certificate (.CRT): "keytool -import -trustcacerts -alias www.mysite.com -file mysite.crt -keystore key.store"
Some clients can refuse (without notice) connecting using this certificate in case it is not offered by the machine it was issued for - for example if it was issued for "www.mysite.com" but some other machine uses it to initiate a SSL session.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I had the same problem and now have solved it by adding an alias name.
keytool -keystore mykeystore -keyalg RSA -import
-trustcacerts -alias myalias file myfile.cer
Hope this will help you!
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I had this problem, but I didn't iimport the CA root cert. After I imported the ca root certificate, then the certificate imported fine.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I just had the same probelm recently and turned out it was the format of my SSL cert causing the problem. Once I converted it to the PKCS#7 format, I could import the cert to the identity keystore and able to start WLS8.1+sp2. Hope this helps.h
[ June 18, 2004: Message edited by: Victor Le ]
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Like somebody else said, you will get this error if you try to import a key using the same alias is before. Try a different alias name and see if it works. This error message is very cryptic for this problem.
 
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's a generic errormessage, it cannot complete the chain.
Most likely you don't have the same CA certificate present as you certificate is signed with.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Every time I have had this problem, it is because of a blank line at the end of one of the files being used.

Example:
....
SnxZOoxFXj7HXejOoWs12GmNiLlOfBbWX3bRDjkGrX1hywUfZynhW1NALzLDXfi3
RzFJW8ItZGAw65NR2iEyAg==
-----END CERTIFICATE-----

Make sure that at every stage of your cert process that you do not have a blank line after the -----END CERTIFICATE--- line.

 
Rancher
Posts: 3742
16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is this the Bermuda triangle thread ? 6 people have now made their first post here. 5 have never been heard from again. Is this the end for Randy or will he buck the trend ?
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Had similar issues with Web Logic. Importing the provided CA response resulted in the exception error. However, copying the PKCS7 format and importing it with keytool worked fine due to the rootca information being included in the response. hope this helps. This process has resolved 100% of the occurrernces of this issue in our environment.
 
Greenhorn
Posts: 14
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Joanne Neal wrote:Is this the Bermuda triangle thread ? 6 people have now made their first post here. 5 have never been heard from again. Is this the end for Randy or will he buck the trend ?



I think you are correct. I found this thread as I just had this problem. In my case I'm attempting to trim down what I import into my keystore.ks. I had everything working but when I examined the JKS keystore.ks I noticed it has the complete chain with the Root CA (our own local CA) at the top. I wasn't sure that was really wise, so i experimented with trying to import just the certificate. In my case, because of how I created the keystore in the first place, I already have an entry and the import fails with this error.

Anyhow, @Joanne it is amusing how nobody comes back from this thread. Hopefully I will be an exception ;)
 
Does this tiny ad smell okay to you?
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic