Error "Failed to establish chain from reply" while importing a CA issued certificate to a TIBCO Spotfire Server Java keystore

book

Article ID: KB0072911

calendar_today

Updated On:

Products	Versions
Spotfire Server	All versions

Description

You try to import a CA-issued certificate to the TIBCO Spotfire Server Java keystore by running a command like the following:

 C:\tibco\tss\11.4.1\jdk\bin>keytool -import -alias spotfire -file C:\tibco\tss\11.4.1\tomcat\certs\servercert.cer -keystore C:\tibco\tss\11.4.1\tomcat\certs\spotfire.jks

You then get an error message:

"keytool error: java.lang.Exception: Failed to establish chain from reply"

This can happen when the certificate fails to build the chain as Root and/or Intermediate certificates have not been imported properly or in the correct order.

Issue/Introduction

When importing a CA issued certificate to a TIBCO Spotfire Server Java keystore, you get the error "Failed to establish chain from reply". This can be a result of the root and/or intermediate certificates not having been imported properly or in the correct order.

Environment

All

Resolution

Option A
Ask the CA admin to provide the certificate in .p7b format which exports the chain along with Root and intermediate certificates.
You can then run the below command to import the certificate:

 keytool -import -alias spotfire -file <Spotfire Server Install>tomcat\certs\servercert.p7b -keystore <Spotfire Server Install>\tomcat\certs\spotfire.jks

Option B
Follow the below steps to import the certificates individually once you have the .p7b format certificate

View your certificate on a computer running Windows. You will be able to see the certificate chain on the third tab that looks like the following image.
Select the root certificate from the chain and click on the button "View Certificate".
A new window opens, go to the second tab and click on the "Save File" button. This opens an export wizard for your certificate.
When exporting, select the X.509 base 64 option and follow the instructions. Save the file.
Repeat for the intermediate certificate.
Copy both certificates to your server and import into the keystore following the order - first root, second intermediate and finally your certificate using the below commands:

 keytool -import -alias spotfire -file <Spotfire Server Install>\tomcat\certs\Rootcert.cer -keystore <Spotfire Server Install>\tomcat\certs\spotfire.jks keytool -import -alias spotfire -file <Spotfire Server Install>\tomcat\certs\Intermediate.cer -keystore <Spotfire Server Install>\tomcat\certs\spotfire.jks keytool -import -alias spotfire -file <Spotfire Server Install>\tomcat\certs\servercert.cer -keystore <Spotfire Server Install>\tomcat\certs\spotfire.jks

Additional Information

Stack Overflow, "keytool error: java.lang.Exception: Failed to establish chain from reply"

https://stackoverflow.com/questions/23611688/keytool-error-java-lang-exception-failed-to-establish-chain-from-reply

Feedback

thumb_up Yes

thumb_down No

Welcome to "KB Articles"