Sunday, June 23, 2013

Installing Godady SSL Certificate keytool error: java.lang.Exception: Failed to establish chain from reply - fixed



Problem: keytool error: java.lang.Exception: Failed to establish chain from reply 

error while importing Godaddy SSL certificate into the keystore file


Server: Tomcat 7

Solution: Make sure all the certificates from the chain are imported into the keystore. You 

can identify the certificates from the chain by opening the certificate received from the 

CA. Double click the file and go to the certification path tab. You should be able to get 

the path chain from there. Check https://certs.godaddy.com/anonymous/repository.pki 

in order to obtain the individual certificates.


Details:


1) Open the certificate issued by Godaddy, which is named after your domain name



2) The chain is that you need to install "Go Daddy Root Certificate Authority - G2" root 


certificate & then "Go Daddy Secure Certificate Authority - G2" intermediate certificate 

and then finally install "test.co.in" certificate.


3) The Question where do we find the first two certificates. Go to https://certs.godaddy.com/anonymous/repository.pki, check for the above two certificates as in below image








4) You need to follow the following command line instructions to install the standard 

certificate issued by Go Daddy with the files (or) procedure mentioned above.


keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gdroot-g2.crt


keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt


keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file test.co.in


The above process completely resolved the Chain exception and was able to install the SSL certificate into tomcat successfully.