Problem: keytool error: java.lang.Exception: Failed to establish chain from reply
error while importing Godaddy SSL certificate into the keystore file
Server: Tomcat 7
Solution: Make sure all the certificates from the chain are imported into the keystore. You
can identify the certificates from the chain by opening the certificate received from the
CA. Double click the file and go to the certification path tab. You should be able to get
the path chain from there. Check https://certs.godaddy.com/anonymous/repository.pki
in order to obtain the individual certificates.
Details:
1) Open the certificate issued by Godaddy, which is named after your domain name
2) The chain is that you need to install "Go Daddy Root Certificate Authority - G2" root
certificate & then "Go Daddy Secure Certificate Authority - G2" intermediate certificate
and then finally install "test.co.in" certificate.
3) The Question where do we find the first two certificates. Go to https://certs.godaddy.com/anonymous/repository.pki, check for the above two certificates as in below image
4) You need to follow the following command line instructions to install the standard
certificate issued by Go Daddy with the files (or) procedure mentioned above.
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gdroot-g2.crt
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file test.co.in
The above process completely resolved the Chain exception and was able to install the SSL certificate into tomcat successfully.
How are you getting the test.co.in file? I understand you can just download the gdroot-g2.crt from https://certs.godaddy.com/anonymous/repository.pki. But how do you get the text file for your own personal certificate to import into keytool? I tried downloading the PEM file from my account, but I still get the "Incomplete certificate chain in reply" error. The documentation on GoDaddy's site just skips the details on this step (http://support.godaddy.com/help/article/4780/signing-java-code)
ReplyDeleteI have changed it to test.co.in while writing this blog as I don't want to disclose for which website I was setting up the SSL certificate.
ReplyDeleteThe steps that you need to follow is open the certificate issued by GoDady and then see the certification path and then use keytool to import the certificates
Thanks, we were working on this problema for the whole day and finally it worked thanks for your help.
ReplyDeleteRegards
Bluehost is ultimately one of the best website hosting company with plans for all of your hosting requirments.
ReplyDelete