Generate keystore:
keytool -genkey -alias tomcat -keyalg RSA -keystore my.keystore -keysize 2048
Generate certificate signing request (CSR):
keytool -certreq -alias tomcat -keyalg RSA -file my.csr -keystore my.keystore
I then go off to my hosting provider and get some certificates. These i installed as follows:
keytool -import -alias root -keystore my.keystore -trustcacerts -file gd_bundle-g2-g1.crt keytool -import -alias intermed -keystore my.keystore -trustcacerts -file gdig2.crt keytool -import -alias tomcat -keystore my.keystore -trustcacerts -file my.crt
When I installed the final certificate (my.crt) I got the following error:
keytool error: java.lang.Exception: Failed to establish chain from reply
I believe i have imported the chain and in the correct order so I'm very confused by this message. Can anyone see what I'm doing wrong?
The certificates in cacerts are a kind of default trust list, the officially trusted root certificates (similar to the lists your browser trusts by default). The option is not really necessary since you can always force the import for a certificate.
Check the contents of the trust store by entering the following in the command prompt: <JAVA_HOME>\bin\keytool -list -v -keystore truststore -storepass access . Note the alias names of the certificates you want to remove. Enter <JAVA_HOME>\bin\keytool -delete -alias <alias name> -keystore truststore.
KeyStore AliasesAn alias is specified when you add an entity to the keystore using the -genseckey command to generate a secret key, -genkeypair command to generate a key pair (public and private key) or the -importcert command to add a certificate or certificate chain to the list of trusted certificates.
I've just discovered that the files godaddy supplied with my certificate are both intermediate certificates (in fact they seem to both be the same intermediate certificate).
I got the correct root and intermediate certificates by double clicking on my certificate and looking at the certificate path... from here I could also download each of these certificates and use the steps used in the question to import them
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With