During the import, this error might occur: keytool error: java.langException: Failed to establish chain from reply
This error explicitly refers to the fact that the certificate to be imported does not match either:
- The common name of the created key entry of imported certificates, or
- The alias of the key entry.
In order to avoid this error, the following points should be double-checked:
- Alias of the imported certificate: If you are importing the chain files in PEM format, each of them should have different aliases( e.g.: root for root certificates, intermediate1 or intermediate2 for intermediate certificates). The alias of private key entry (keystore alias) should match with end-entity certificate.
- The end-entity certificate imported to the keystore does not match the private key in that keystore. This means that the imported certificate differs from the key entry in the keystore either in common name or alias. To avoid this, the keystore verbose output can be checked and the correct domain name and the alias can be found:
Command is the following: keytool -list -keystore 'keystore name' -v
Once this is checked, rerun the import command to the correct keystore.
- The CA bundle chain certificates do not sign the end entity certificate or other certificates in bundle. This can occur if PEM certificates are imported and the strict import order was not followed. This order is as follows: root certificate -> second intermediate(signed by root) -> first intermediate (signed by second intermediate) -> end-entity certificate (signed by first intermediate certificate). If the order is broken, keytool instance cannot establish a valid chain between certificate subject and the issuer. The incorrectly imported certificate entry can be removed using the command keytool -delete -alias 'needed alias' -keystore 'keystore name' -storepass 'keystore password'
Once the entries are deleted, import the certificate in the correct order.