Keytool and the "Failed to establish chain from reply" Error

We want to hear from you! Please send us your FEEDBACK.

The following technical article may contain actual software programs in source code form. This source code is made available for developers to use as needed, pursuant to the terms and conditions of this license.

Introduction

Commands

The first step in importing a certificate reply is to generate a private key/public certificate pair using the -genkey flag of the Java programming language tool, keytool (See Command 1.1). Keytool is found under the java.home/bin directory where java.home points to the Java 2 runtime environment directory.
 

Command 1.1 keytool -genkey -alias <subjectkey> -keypass <mykeypasswd> -keystore <mykeystore>  -storepass <storepass> For example: keytool -genkey -alias joe -keypass joepass -keystore keystore -storepass password A new keystore file is created called keystore with the password, password. In the keystore, a key entry is created that is aliased by joe, and protected by the password, joepass.

Command 1.1 will create a key entry referenced by the alias <subjectkey>, protected by the password <mykeypasswd>, in the keystore <mykeystore>. The key entry password is required every time the alias <subjectkey> is used. The keystore <mykeystore> is protected by the store password <storepass>. In this example, the keystore <mykeystore> is a file of the same name, located in the current directory. The value of <mykeystore> can be a pathname to a keystore file. If the <mykeystore> file exists, then the store password must be the password protecting that keystore, otherwise Command 1.1 will  create a keystore file, called <mykeystore>, protected by the password, <storepass>.

A keystore contains a set of key entries. A key entry consists of a private key and a corresponding public, self-signed certificate. The self-signed certificate has been signed only by the executer of the key generation command (that is, Command 1.1). The entity that generates a private/public key pair is referred to as a subject. In order for other sources to trust the subject's public self-signed certificate, it should be certified by a Certificate Authority (CA). Examples of Certificate Authorities are Verisign, Entrust, Thawte Consulting, and BelSign. A Certificate Authority will verify the subject's identity, (usually in an off-line, manual process) and will sign the subject's public self-signed certificate, if successful. The subject must generate a Certificate Signed Request (CSR) from their self-signed certificate, to send to the CA for authentication. A Certificate Signed Request is created by using Command 2.1.
 

Command 2.1 keytool -certreq  -alias <subjectkey> -keypass <mykeypasswd> -keystore <mykeystore> -storepass <storepass> -file <myCertificate.cer> For example: keytool -certreq -alias joe -keypass joepass -keystore keystore -storepass password -file joeCertificate.cer

Command 2.1 will create a CSR for the self-signed certificate in the key entry aliased by <subjectkey>, which is stored in <mykeystore>. The generated CSR is placed in the file <myCertificate.cer>.

In response to a CSR, a CA will return a certificate reply which needs to be imported into the corresponding key entry of the keystore. In this example, the certificate reply is imported into the key entry aliased by <subjectkey>. By importing the certificate reply into the keystore, it will ultimately replace the public self-signed certificate part of the corresponding key entry. A certificate reply can be either a single certificate or a chain of certificates that conforms to the PKCS#7 format (RFC 2315). In the case of a single certificate, it will be the issuer-signed certificate. The issuer-signed certificate defines a certificate generated by the CA that authenticated the subject's self-signed certificate in the CSR.  A chain of certificates is a list of certificates where the next certificate in the chain is the public certificate of the CA that authenticated the previous certificate in the chain. The chain starts with the issuer-signed certificate, then a support chain of public certificates from intermediate CAs, and ends in a root certificate. A root certificate is a public, self-signed certificate that is the last link in a certificate chain.

When a certificate reply is being imported into the keystore, keytool will check that a chain of trust can be established between the certificate reply and a root certificate in a keystore. If a chain of trust cannot be established, then a java.lang.Exception will be thrown with an error message similar to "Failed to establish chain from reply".

A subject may need to import a root certificate of the CA (that generated the certificate reply) into a keystore, in order to prevent the above exception from being thrown. If the certificate reply was generated by VeriSign or Thawte, then the subject may not need to import any VeriSign root certificates, because all Java 2 runtime environments are distributed with five root certificates issued from VeriSign. These root certificates are stored in a special keystore called the cacerts file, found under the java.home/lib/security directory, where java.home is a Java 2 runtime environment's home directory. The cacerts keystore contains certificates that are considered trusted by the subject. The cacerts keystore is considered separate from the subject's keystore that contains the private key/public certificate chains belonging to the subject. A subject should only place trusted root CA certificates into the cacerts keystore.

However, if the certificate reply was generated by a certificate authority whose root certificate is not present in the cacerts file, then the CA's public certificate will need to be imported into a keystore prior to importing the certificate reply.

There are a number of ways to import the CA's public root certificate:

OPTION 1

Prepend the CA's root certificate to the file containing the certificate reply in order to create a file conformant to the PKCS#7 format. Both the certificate reply and the CA's certificate can be viewed as text encoded Base64. By prepending the section of the CA's certificate delimited by the '--BEGIN' and 'END--' tags to the the certificate reply, the entire file will represent a chain of trust. If you place the root CA after the certificate reply, then the "Failed to establish a chain of trust'" exception will be thrown.

The format of the file would look like:

ROOT CA:

-----BEGIN CERTIFICATE-----
lkAJtetLJ?%dggfagneJ%#LJDfd .....
Lfg$^jLfgf.....
aLN^$jLfLK33#.....
.....
.....
.....
-----END CERTIFICATE-----

ISSUER CA SIGNED CERTIFICATE:

-----BEGIN CERTIFICATE-----
kItq$/mdfKhQhJ?.......
ljy;>fgYjklrjRJO/......
fg;lj@;ljfg^ms.....
.....
.....
.....
-----END CERTIFICATE------
 

This changed file is then imported into the keystore with the same alias as was used to generate the private key/public certificate pair (See command 3.1). In this case, the CA's certificate is specific for only this alias. In other words, if we import a second certificate reply from the same CA, the "Failed to establish chain..." exception will be thrown.
 

Command 3.1 keytool -import -alias <subjectkey > -file <chaincertificate.cer> -keypass <mykeypasswd> -keystore <mykeystore> -storepass <storepass> For example: keytool -import -alias joe -file joeChainCertificate.cer -keypass joepass -keystore keystore -storepass password The file, joeChainCertificate.cer stores the certificate reply returned by the CA. The contents of the certificate reply replace the self-signed certificate part of the key entry, aliased by joe.

Command 3.1 will import the certificate chain in the file <chaincertificate.cer>, into the key entry aliased by <subjectkey>, stored in <mykeystore>.

OPTION 2

In order to make the CA's root certificate available to any imported certificate reply (from the same CA), you can import the CA's certificate as a trusted certificate, into the cacerts keystore. When importing a certificate from a CA, first ensure that the subject has permissions to write to the cacerts file under the java.home/lib/security, where java.home is the home directory of a Java 2 runtime environment. Next, ensure that no certificate is stored in the cacerts keystore with the same alias that will be used to reference the CA certificate; otherwise the import will fail (See Command 4.1).
 

Command 4.1 keytool -list -alias <alias> -keystore <keystore> -storepass <store_password> For example: keytool -list -alias cakey -keystore /java.home/lib/security/cacerts -storepass changeit

Command 4.1 will display the contents of the key entry aliased by <alias> in the cacerts keystore. If the <alias> entry does not reference an existing certificate, then no output will be returned. The keystore password for cacerts is changeit, by default. In order to change the default password of the cacerts keystore, use Command 4.1.1. The cacerts password should be changed prior to using the cacerts file. Then place the certificate into the cacerts keystore use Command 4.2.
 

Command 4.1.1 keytool -storepasswd -new <new_storepass> -keystore <Akeystore> -storepass <old_storepassword> For example: keytool -storepasswd -new cacertspassword -keystore /java.home/lib/security/cacerts -storepass changeit The cacerts keystore's password will be changed from changeit to cacertspassword.

 

Command 4.2 keytool -import  -alias <cacerts_key_entry_alias> -file <CARootCertificate.cer> -keystore <cacerts_keystore> -storepass <cacerts_store_password> For example: keytool -import -alias cakey -file CARootCertificate.cer -keystore /java.home/lib/security/cacerts -storepass cacertspassword

Command 4.2 will place the CA root certificate, stored in the file CARootCertificate.cer into an entry aliased by cakey in the cacerts keystore.

Now, the certificate reply from the CA can be imported (See command 4.3). Note that the certificate reply is imported into the subject's keystore that contains the key entries - NOT the cacerts keystore. When importing the certificate reply into the keystore, the -trustcacerts flag must be used with the import command in order for certificates in the cacerts file to be used to establish chains of trust with the certificate reply in the subject's keystore.
 

Command 4.3 keytool -import -alias <subjectkey> -file <chainedcertificate.cer>  -keypass <mykeypasswd> -trustcacerts -keystore <mykeystore> -storepass <storepass> For example: keytool -import -alias joe -file joeChainCertificate.cer -keypass joepass -trustcacerts -keystore keystore -storepass password The file, joeChainCertificate.cer contains only the certificate reply as it was generated by the CA.

Command 4.3 will import the certificate reply stored in the file <amended_chaindcertifcate.cer>, into the key entry of <mykeystore>, aliased by <subjectkey>.

Using these two methods, it should be possible to import a certificate reply into a keystore without causing a "Failed to establish chain from reply" message.

References:

Keytool - Key and Certificate Management Tool - A guide on how to use the Java programming language keytool.
PKCS#7 Message Syntax
Enstrust
Verisign
Thawte

Glossary: