Error Message

keytool error: java.lang.Exception: Failed to establish chain from reply

A. The Certificate owners is different for all the certificates in the chain.

B. The certificate chain involves one or more Intermediate certificates that also need to be imported to establish trust for the chain.

C. The certificate is imported in an unsupported format

Following solutions can be performed based on above listed causes

Cause A: 

Verify the "Issued by" details of each of the certificate to make sure it is the same for all the certificates.

Source: Yanpas [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], from Wikimedia Commons

Cause B

There are instances, when a self signed certificate contains one or more Intermediate certificates. In this case, the certificate chain can be seen as

1. Root Certificate
2. Intermediate Certificate #1 upto n
3. Signed Certificate

During such instances, every time an attempt to import an intermediate certificate is performed, it needs to be done using a new alias.

Example:

The below steps needs to be followed to allow the import of certificate chain that involves a root, intermediate and signed certificate. 

***Root Cert Import***

keytool -importcert -alias root-ca -file CARoot.cer -keystore webserver.keystore -storepass changeit  

***Intermediate Cert Import***

keytool -importcert -alias im-ca -file im-ca.cer -keystore webserver.keystore -storepass changeit 

*** If more than one Intermediate Cert  - Otherwise, move on to the Signed Cert Import step***

***Intermediate Cert2 Import*** 

keytool -importcert -alias im-ca2 -file im-ca.cer2 -keystore webserver.keystore -storepass changeit 

***Signed Cert Import***

keytool -importcert -alias tomcat -keystore webserver.keystore -trustcacerts -file signedcert.ca 

Please refer to DI Install Guide "Generating Management Console Certificate" chapter for more insight of the above commands.

CAUSE C:

Make sure every time a certificate is imported, it is in PKCS #7 format only.