• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Failed to Establish Chain from Reply

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am trying to import a certificate created for me from a .CSR file.
Long story short, I am getting the error "Failed to Establish Chain from Reply". I found a thread with a user with a similar problem back in 2003.
The problem they were having seemed to be because they used an alias they had previously used before.
I took that advice and delete everything off of the server to do withthe certificate and used new alias names. However this didn't work. I'm still getting the same error.

I'm hoping if I post my series of steps here someone may be able to pick out what I'm doing wrong and help me.
Any advice would be appreciated.

Here are the steps:
1. I generate the key using the command:
keytool -genkey -alias incOne-keyalg RSA -keysize 4096 -keystore incKEY.key

2. Then I generate the CSR against that key that was just created using the command
keytool -certreq -keyalg RSA -alias incOne -file certreqIncOne.csr -keystore incKEY.key


At this point I use -list to see what's in my .key file. In the .key file I have:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

incone, Oct 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): ______________________________

Then after I get the certificate, I import it
1. Import the chain certificate using the command

keytool -import -alias root -keystore incKEY.key -trustcacerts -file CA_Chain.crt

and again, I use -list to see what's in the file and I have:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Oct 24, 2011, trustedCertEntry,
Certificate fingerprint (MD5): ______________________________
incone, Oct 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): ______________________________

Now, I'm still following the tomcat instructions Apache Tomcat 6.0 SSL Configuration HOW-TO,
I try to import the certificate created for me by using the command:
keytool -import -alias incOne -keystore incKEY.key -trustcacerts -file doors01-10242011.crt

and I get the error: "Failed to establish chain from reply", which as I stated before from what I've researched means I've used the same alias name.

Now my main question is what's the point of importing the certificate created for me?
Is that certificate suppose to over write the other incone private key entry as a trustedCertEntry?


Thank You
January
 
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Depends on who the Issuing CA is and what their chain looks like. Post the contents of CA_Chain.crt and doors01-10242011.crt so I can tell if your chain is intact.

Arshad Noor
StrongAuth, Inc.
 
Goodbye moon men. Hello tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic