----- Original Message -----
From: "Kit" <[EMAIL PROTECTED]>
To: "Orion-Interest" <[EMAIL PROTECTED]>
Sent: Thursday, October 12, 2000 4:54 PM
Subject: SSL question
>
> Hi all
>
> I have a problem using the command below.
>
> keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file
my.host.com.cer
>
> I get this error:
>
> keytool error: Failed to establish chain from reply
>
>
> But, this command worked fine
>
> keytool -import -trustcacerts -file my.host.com.cer
>
>
>
> Is there any problem using the second command, since it's missing some
>
> arguments as indicated in the ssl-how-to documentation.
>
> Thanks
>
> -kit
>
>
The problem with the first command is that keytool can't find the root ca
certificates in your keystore and therefore can't build up the certificate
chain from your server key to the trusted root certificate authority. With
the second example, keytool is using the system keystore and can locate the
root ca certs in <jdk-dir>/jre/lib/security/cacerts.
When I created my keystore I used a certificate from bt trustwise which is
an intermediate ca so I had yet another cert to add. The commands went
something like this (assume keystore does not yet exist):
keytool -keystore keystore -import -alias cacert -file cacert.cer
keytool -keystore keystore -import -alias intercert -file inter.cer // Only
need this if you are using an intermediate signing authority like BT
Trustwise
keytool -keystore keystore -genkey -keyalg RSA -alias serverkey
keytool -keystore keystore -certreq -file my.host.com.csr
Get cert from csr then:
keytool -keystore keystore -import -file my.host.com.cer -alias serverkey
That should be that. You can do a keytool -keystore keystore -v -list and
check that a cert chain has been built.
You can probably get round your problem just by importing the ca certs into
your keystore and then trying to re-add your server cert.
HTH
Mike
