Re: Error during import of domain certificate from Comodo: keytool error: java.lang.Exception: Failed to establish chain from reply

Sun, 12 Apr 2015 08:58:00 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Fleur,

On 4/10/15 10:40 PM, Fleur Garage wrote:
> I am trying to enable SSL on Apache Tomcat/7.0.32.  Have generated
> a local self-signed cert and CSR and have sent the .csr for
> signing. I have received 4 certificates back from Comodo: 
> AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt, 
> COMODORSAOrganizationValidationSecureServerCA.crt and my
> server/domain certificate.
> 
> Import of Root CA and both Intermediate certificates to my keystore
> was successful.  I received the message "Certificate was added to
> keystore" for each of them.
> 
> But, when I tried to import the server/domain certificate, I am
> getting the Failed to establish chain from reply. *keytool -import
> -trustcacerts -alias tomcat -file <domain.crt> -keystore 
> mykeystore*
> 
> Note that the alias (tomcat) I used here is the same alias I used
> to generate the csr. Does anyone have an idea on how to resolve
> this issue?

You'll need to import the root and intermediate certificates from the
CA first, which it sounds like you did. Just to confirm, you did
something like this:

 $ keytool -import -alias [Authority.CA] -trustcacerts -file
[authority's CA cert] -keystore ${HOSTNAME}.jks

 $ keytool -import -alias [Authority.intermediate] -trustcacerts -file
[authority's intermediate cert] -keystore ${HOSTNAME}.jks

(you may have to do this more than once if you have multiple
intermediate certificates)

 $ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
${HOSTNAME}.jks

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVKpWlAAoJEBzwKT+lPKRY7nYP/2n6RGUUNcS6TndwIVqxmYBw
PRJoc30j4+radbnCjHRS1xzbFl3NZZE4JchLjllArTC37oPE91WvtQQzk7WiDE4U
MXweBmHFI9fbQ4Vhk88d1PVkctwu67dxSwUAZWepb5aF1BY97yWRAUP5kvqWlMez
fWweRXE9So90BIIw9MCktn0v/y2LN1B1j0Vx3SrfnCFbZjDobmULIfeDeD03yjgt
kfVxq3HJkVUmREoTikmQNgV/5TbEpUooj4nqopq30ALdRjikJxLsWcAkfwTt1Weh
cBQ0rnWZY4UopdLV/iXM6MrMvMkr59siY0LDibYkzqLYXIZlsyg36zrauXFosLmW
Ppl4iTxi9eUWl5HQaV5hhbySSHGQQPeXtJGrdgSuNy4mFShQWrWlBpEVrhVocJYn
IIdX4B3b6oTRFhfJaEbc+CZ1manrp1jv3MPxdtfDy2e548DKTH6wrKgf2S22QCxj
fLTYmd2mu4F2zqA3UOkC/epoJdpFhuIMZzKhopnUGPtyUoFJB5x6aEZhddRxjPQ+
PIbjc5ttH9R9z663/bxoaqse8YbZTX9bJqerxtQ+RV/WDO5roVz3XRuZNB9ln983
MRtp8DknIr5TWwhm0DUbB1gYC9TcNRcAi5p1JDNRw3JVGzcr6IHgL2DhQX1Lw3+H
zxEpdJ6DJElRONcuK42/
=1/Pn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to