The moose likes Security and the fly likes Failed to Establish Chain from Reply Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login
JavaRanch » Java Forums » Engineering » Security
Reply Bookmark "Failed to Establish Chain from Reply" Watch "Failed to Establish Chain from Reply" New topic
Author

Failed to Establish Chain from Reply

January Montague
Greenhorn

Joined: Jan 27, 2005
Posts: 5
posted private message
0
Quote
I am trying to import a certificate created for me from a .CSR file.
Long story short, I am getting the error "Failed to Establish Chain from Reply". I found a thread with a user with a similar problem back in 2003.
The problem they were having seemed to be because they used an alias they had previously used before.
I took that advice and delete everything off of the server to do withthe certificate and used new alias names. However this didn't work. I'm still getting the same error.

I'm hoping if I post my series of steps here someone may be able to pick out what I'm doing wrong and help me.
Any advice would be appreciated.

Here are the steps:
1. I generate the key using the command:
keytool -genkey -alias incOne-keyalg RSA -keysize 4096 -keystore incKEY.key

2. Then I generate the CSR against that key that was just created using the command
keytool -certreq -keyalg RSA -alias incOne -file certreqIncOne.csr -keystore incKEY.key


At this point I use -list to see what's in my .key file. In the .key file I have:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

incone, Oct 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): ______________________________

Then after I get the certificate, I import it
1. Import the chain certificate using the command

keytool -import -alias root -keystore incKEY.key -trustcacerts -file CA_Chain.crt

and again, I use -list to see what's in the file and I have:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Oct 24, 2011, trustedCertEntry,
Certificate fingerprint (MD5): ______________________________
incone, Oct 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): ______________________________

Now, I'm still following the tomcat instructions Apache Tomcat 6.0 SSL Configuration HOW-TO,
I try to import the certificate created for me by using the command:
keytool -import -alias incOne -keystore incKEY.key -trustcacerts -file doors01-10242011.crt

and I get the error: "Failed to establish chain from reply", which as I stated before from what I've researched means I've used the same alias name.

Now my main question is what's the point of importing the certificate created for me?
Is that certificate suppose to over write the other incone private key entry as a trustedCertEntry?


Thank You
January
Arshad Noor
Ranch Hand

Joined: Oct 06, 2011
Posts: 33
posted private message
0
Quote
Depends on who the Issuing CA is and what their chain looks like. Post the contents of CA_Chain.crt and doors01-10242011.crt so I can tell if your chain is intact.

Arshad Noor
StrongAuth, Inc.
 
 
subject: Failed to Establish Chain from Reply
 
Threads others viewed
Tomcat 4.1: JDK 1.4.2 Keystore issue?
keytool - import CA reply certificate error
SOAP over HTTPS / SSL
weblogic 8.1 SSL configuration.
Tomcat SSL .Enabling Client authentication with tomcat
MyEclipse, The Clear Choice