Skip to main content

Keytool import error

2 replies [Last post]
soma2810
Offline
Joined: 2010-05-27

Good Day,

I have installed the following version of GlassFish Application Server,

# ./asadmin version
Version = Sun GlassFish Enterprise Server v2.1.1

I followed the below steps to install a certificate signed by a CA,

1. Deleted the existing certificate using the following command,
keytool -delete -alias s1as -keystore keystore.jks -storepass

2. Then generated the key pair
keytool -genkeypair -keyalg RSA -keystore keystore.jks -validity -alias s1as

3. Then created a certificate request for getting it signed by CA
keytool -certreq -alias s1as -file -keystore keystore.jks -storepass

4. Then importing the signed certificate
keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass

The above steps where given by CA using the the url, http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2.

When trying to import the certificate I get the following error,

# keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass

keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)

It would be really nice if someone could help me out here and few forums suggest to convert the format of the certificate file to pkcs#7 format, but I dont find the exact commands to do it. I used the tool suggested in the below url, but didnt help.

https://www.sslshopper.com/ssl-converter.html.

It would be really nice if someone could help since I have been stuck with the issue for almost 4 weeks.

Thanks in Advance.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
soma2810
Offline
Joined: 2010-05-27

Hi Martin,

Thanks for the response.

I have already got the certificate signed by Verisign. Once I got it signed I tried to import the certificate into the Glassfish server and thats when I am getting this error. I guess I am supposed to import the certificate for the GlassFish to understand that there is new signed certificate right??

Thanks..

Martin Gainty

#4 Submit the CSR to a CA such as VeriSign. In response, you should receive a signed server certificate. Make sure to import into your browser the CA certificate of the CA and any intermediate certificates indicated by the CA in the reply.

BTW: the prefix of the cert must match the FQ hostname where the certificate is located

its important you NOT skip any of these directions

Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.

> Date: Fri, 16 Jul 2010 02:41:07 -0700
> From: glassfish@javadesktop.org
> To: users@glassfish.dev.java.net
> Subject: Keytool import error
>
> Good Day,
>
> I have installed the following version of GlassFish Application Server,
>
> # ./asadmin version
> Version = Sun GlassFish Enterprise Server v2.1.1
>
> I followed the below steps to install a certificate signed by a CA,
>
> 1. Deleted the existing certificate using the following command,
> keytool -delete -alias s1as -keystore keystore.jks -storepass
>
> 2. Then generated the key pair
> keytool -genkeypair -keyalg RSA -keystore keystore.jks -validity -alias s1as
>
> 3. Then created a certificate request for getting it signed by CA
> keytool -certreq -alias s1as -file -keystore keystore.jks -storepass
>
> 4. Then importing the signed certificate
> keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass
>
> The above steps where given by CA using the the url, http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2.
>
> When trying to import the certificate I get the following error,
>
> # keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass
>
> keytool error: java.lang.Exception: Failed to establish chain from reply
> java.lang.Exception: Failed to establish chain from reply
> at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
> at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
> at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
> at sun.security.tools.KeyTool.run(KeyTool.java:172)
> at sun.security.tools.KeyTool.main(KeyTool.java:166)
>
> It would be really nice if someone could help me out here and few forums suggest to convert the format of the certificate file to pkcs#7 format, but I dont find the exact commands to do it. I used the tool suggested in the below url, but didnt help.
>
> https://www.sslshopper.com/ssl-converter.html.
>
> It would be really nice if someone could help since I have been stuck with the issue for almost 4 weeks.
>
> Thanks in Advance.
> [Message sent by forum member 'soma2810']
>
> http://forums.java.net/jive/thread.jspa?messageID=477794
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>

_________________________________________________________________
Hotmail is redefining busy with tools for the New Busy. Get more from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:...
[att1.html]