Tuesday, July 21, 2015

Resolve - keytool error: java.lang.Exception: Failed to establish chain from reply

This blog post is related to my previous post 'Add CA signed certificate to keystore'. When you are going to import the CA signed certificate to your keystore, you may be getting the following error

keytool error: java.lang.Exception: Failed to establish chain from reply

The cause of this error
This error occurs if 
  • the correct root certificate is not imported to the keystore 
  • the correct intermediate certificate is not imported to the keystore
The root cause is when you are going to import the signed certificate it checks whether it can create a chain from issuer and subject parameters in the imported certificate. 

The solution is to

Import the correct root and intermediate which is compatible with the CA and the certificate type. For and example if you are using VeriSign you can find all the intermediate and root certificates from here.

Add CA signed certificate to keystore

A keystore is a file that keeps private keys, certificates and symmetric keys as key value pair. Each certificate is uniquely identified by an identifier called as 'Alias'. In this blog post I will go through a very common usecase where we have to get a certificate signed by CA and import that to the keystore.

As a prerequisite we have to make sure that Java is installed correctly and the class path is set. Then we can follow the following steps

1. Create a key store

You can create your own keystore by executing the following command.

keytool -genkey -alias democert -keyalg RSA -keystore demokeystore.jks -keysize 2048

You will be prompted to give below required information and a password for the keystore.

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  wso2
What is the name of your organization?
  [Unknown]:  wso2
What is the name of your City or Locality?
  [Unknown]:  colombo
What is the name of your State or Province?
  [Unknown]:  WP
What is the two-letter country code for this unit?
  [Unknown]:  LK
Is CN=localhost, OU=wso2, O=wso2, L=colombo, ST=WP, C=LK correct?
  [no]:  yes

Enter key password for <democert>
(RETURN if same as keystore password):

This generates a private key and the certificate with the alias specified in the command (ex: democert).

Once you executed the above command a new file with the name demokeystore.jks will be created at your the location you executed the command.

2. View the content in the created keystore.

You can execute the following command in order to view the content of the created keystore in step 1.

keytool -list -v -keystore demokeystore.jks -storepass password

You will receive an output similar to

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: democert
Creation date: Jul 21, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=localhost, OU=wso2, O=wso2, L=colombo, ST=WP, C=LK
Issuer: CN=localhost, OU=wso2, O=wso2, L=colombo, ST=WP, C=LK
Serial number: 2ef9b438
Valid from: Tue Jul 21 18:46:12 IST 2015 until: Mon Oct 19 18:46:12 IST 2015
Certificate fingerprints:
MD5:  2F:1B:EF:8E:95:5D:0E:0F:81:34:FE:4A:27:A9:68:A8
SHA1: FD:9D:98:A1:FB:36:DD:6B:D7:1A:F6:E8:AC:98:35:3A:5E:3C:7F:9A
SHA256: CF:02:15:41:9E:CC:67:65:85:33:4A:E4:3D:B9:C4:C5:B2:04:CD:A8:FF:B6:63:D6:DB:DC:79:85:51:79:FA:1E
Signature algorithm name: SHA256withRSA
Version: 3


#1: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9B D4 69 A2 D9 A8 E0 22   02 D6 4F 57 71 3B 27 F4  ..i...."..OWq;'.
0010: 18 8E 7F 4F                                        ...O


3. Create CSR

The certificate in the create keystore is a self-signed certificate. But you need to get your certificate signed by a Certificate Authority(CA). For that  a Certificate Signing Request (CSR) has to be generated. You can use the following command for that.

keytool -certreq -v -alias democert -file csr_request.pem -keypass password -storepass password -keystore demokeystore.jks

Then a csr_request.pem file is created in the location that you have executed this command.

4. Get the certificate signed by CA

In this blog post I'm going to use VeriSign free trail version to get the certificate signed. If you are using this trial version the certificate is valid for only 30 day. Follow the wizard in here. When you are asked to give the CSR, open the generated csr_request.pem in a text editor and copy the content and paste in the text area in the wizard. After you have completed the wizard you will be received an email from VeriSign with the signed certificate.

5. Import the root and intermediate certificates to the keystore

Before importing the signed certificate you have to import the root and intermediate certificates to the keystore. The root certificate for VeriSign trial version can be found from here. Copy the text in the root certificate to a new file and save it as verisign_root.pem file

Now you can import the root certificate to the keystore by executing the following command.

keytool -import -v -noprompt -trustcacerts -alias verisigndemoroot -file verisign_root.pem -keystore demokeystore.jks -storepass password

Now the root cert is imported. You can verify that by listing the content in the keystore. (step2)

The next step is to import the intermediate cert file. For the VeriSign trial version you can get the intermediate certificate from here. Copy the text and save that in a new file (verisign_intermediate.pem)

Import the intermediate certificate:

keytool -import -v -noprompt -trustcacerts -alias verisigndemoim -file verisign_intermediate.pem -keystore demokeystore.jks -storepass password

6. Import the CA signed certificate to keystore

Now we can import the signed certificate. You can find the certificate in the email you received from VeriSign. Copy the text file. For and example,


Create a new text file and past this content and save it as verisign_signed.pem
Import that with the following command

keytool -import -v -alias democert -file verisign_signed.pem -keystore demokeystore.jks -keypass password -storepass password

Now you have the CA signed certificate in your keystore. You can verify that by listing the certificate in the keystore as you did in the step2