I created a keystore through the use of keytool. I then created a .csr request file through keytool. I then went to the Thawte site and pasted in the data from the .csr file in order to get a temp. certificate from Thawte. I then cut the certificate data generated from Thawte and pasted into a notepad file .cer. I tried to import this .cer file into the keystore I created. I kept having this error: keytool error: java.lang.Exception: Failed to establish chain from reply I then obtained Thawte's own public certificate and saved theat in a .cer file, and imported it into IE6 through tool>internet options>content>Certificates>other People and then export it in other format so that I can import the Thawte's own cert. as trusted certificate into my keystore. This import worked. But the initial import continued to have the failed to eastablich chain problem. Please can someone give me some ideas? Thanks in advance!
Hej, I remember having this problem, but I can't remember what I did to fix it Here's a couple of things you could try. a) Check jre/lib/security/cacerts... keytool -list -v -keystore cacerts contains thawte's cert. Putting into your local keystore shouldn't be necessary. b) If using jdk1.4, try installing the unlimited jurisdiction policy files. L
I have no java certifications. This makes me a bad programmer. Ignore my post.
Lewin, Thank you very much for your quick reply. I did checked that Thawte is one of the trusted entried in my cacerts file. But because I kept having the chain problem, I thought its worth a try to put that into my keystore (which didn't help to solve my problem anyway). I am using 1.4. Will look into the unlimited jurisdiction policy files now.
Thanks for replying. The public cert. I got was : -----BEGIN CERTIFICATE----- MIICkTCCAfqgAwIBAgIDRCYnMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAzMDExMzEzNTUxMloXDTAz MDIwMzEzNTUxMlowbDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0G A1UEBxMGTG9uZG9uMRIwEAYDVQQKEwlQcm9jQ3liZXIxEjAQBgNVBAsTCVByb2ND eWJlcjETMBEGA1UEAxMKSGVsZW4gU2h1bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAwEhoUIJZfYgRtWzRjNfAozJd+yvNPoWUYXvPVWUzDC9qGjV+f+iEw7+3 7D0TYTrDVaYbMcnrttJCmANr2Du9QpzNVYRtle5I0Gs5lHwz+Y31815q9WFVO9JE SdfCrY0afO0CVVBBvCR9A0/pfK3vivtKM/vLAJE064x6HbQ9og0CAwEAAaMlMCMw EwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQAIwkV2bx4RsnHJR/OTsj/K7eHkPMfMzAaKcE7XMavFvw02JbMRaQuujdU9 27Nu3y5GrfLqLlk9tuSJor3YE/q4VkUOFs/Qq9iEhPIm3NIYrHpckh4hYsqxfeFK PLrdYpl6sKnpX83wgRvsZZrvx8xrvBHWToV8ZWdCV23sMd/NEQ== -----END CERTIFICATE----- I did convert it to other formats through the use of IE6, Tool>Internet Options>Content to import the certificate and export it as other format, then tried importing this converted-format cert. into my keystore. I still have the same error. I searched the net for days and am still stuck with this same error.
I took the following steps and succeeded in this matter: 1. created a keystore using keytool: "keytool -genkey -alias www.mysite.com -keyalg RSA -keysize 1024 -keystore key.store" 2. created a certificate signing request(.CSR): "keytool -certreq -alias www.mysite.com -file mysite.csr –keystore key.store" and sent it to Thawte. 3. Imported the received (from Thawte) certificate (.CRT): "keytool -import -trustcacerts -alias www.mysite.com -file mysite.crt -keystore key.store" Some clients can refuse (without notice) connecting using this certificate in case it is not offered by the machine it was issued for - for example if it was issued for "www.mysite.com" but some other machine uses it to initiate a SSL session.
I just had the same probelm recently and turned out it was the format of my SSL cert causing the problem. Once I converted it to the PKCS#7 format, I could import the cert to the identity keystore and able to start WLS8.1+sp2. Hope this helps.h [ June 18, 2004: Message edited by: Victor Le ]
Like somebody else said, you will get this error if you try to import a key using the same alias is before. Try a different alias name and see if it works. This error message is very cryptic for this problem.
Had similar issues with Web Logic. Importing the provided CA response resulted in the exception error. However, copying the PKCS7 format and importing it with keytool worked fine due to the rootca information being included in the response. hope this helps. This process has resolved 100% of the occurrernces of this issue in our environment.
Joanne Neal wrote:Is this the Bermuda triangle thread ? 6 people have now made their first post here. 5 have never been heard from again. Is this the end for Randy or will he buck the trend ?
I think you are correct. I found this thread as I just had this problem. In my case I'm attempting to trim down what I import into my keystore.ks. I had everything working but when I examined the JKS keystore.ks I noticed it has the complete chain with the Root CA (our own local CA) at the top. I wasn't sure that was really wise, so i experimented with trying to import just the certificate. In my case, because of how I created the keystore in the first place, I already have an entry and the import fails with this error.
Anyhow, @Joanne it is amusing how nobody comes back from this thread. Hopefully I will be an exception ;)