Authentication Manager Prime: SSP Keystore Import Fails with "Failed to Establish Chain from Reply"
Originally Published: 2023-01-16
Article Number
Applies To
RSA Product/Service Type: Authentication Manager Prime
Issue
When running the keytool command to import a CA-signed certificate into the SSP keystore, the command fails immediately and the certificate is not imported.
Observable symptoms:
- The keytool import command exits with an error — the certificate is not added to the SSP keystore.
- The Self-Service Portal (SSP) continues to use the existing certificate.
Error displayed in the terminal:
keytool error: java.lang.Exception: Failed to establish chain from reply
Cause
The CA root certificate (and any intermediate certificates) have not been imported into the SSP keystore before the CA-signed certificate was imported.
Keytool requires a complete, verified certificate trust chain to exist in the keystore before it can import a signed certificate. When the CA root and intermediate certificates are absent, keytool cannot trace the chain of trust from the signed certificate back to a trusted root — and rejects the import entirely.
This commonly occurs when administrators import the CA-signed certificate directly without first importing the CA root and intermediate certificates in the correct order.
Resolution
⚠️ CAUTION: The private key alias name and keystore file name will vary between environments. Replace
caroot, ssp, and ssp_keystore_new.jks in the commands below with the values specific to your keystore. If you are unsure of your alias names, run keytool -list -keystore <your-keystore>.jks to list all entries.Step 1: Navigate to the PrimeKit certificates directory:
cd /opt/rsa/primekit/certificates
Step 2: Import the CA root certificate into the SSP keystore:
../java/latest/bin/keytool -import -trustcacerts -alias caroot -file caroot.cer -keystore ssp_keystore_new.jks
Enter the keystore password when prompted. Type
yes to trust the certificate when asked.✅ Expected result:
Certificate was added to keystoreStep 3: If your CA provided intermediate certificates, import each one before proceeding. Repeat this command for each intermediate certificate, using a unique alias (e.g.,
intermediate1, intermediate2):../java/latest/bin/keytool -import -trustcacerts -alias intermediate1 -file intermediate.cer -keystore ssp_keystore_new.jks
Enter the keystore password when prompted. Type
yes to trust the certificate when asked.✅ Expected result:
Certificate was added to keystoreStep 4: Import the SSP CA-signed certificate into the SSP keystore. Use the exact alias that was used when the private key was originally created (in this example, the alias is
ssp):../java/latest/bin/keytool -import -alias ssp -file ssp.cer -keystore ssp_keystore_new.jks
Enter the keystore password when prompted.
✅ Expected result:
Certificate reply was installed in keystoreStep 5 (Verification): Confirm all certificates have been successfully imported by listing the keystore contents:
../java/latest/bin/keytool -list -keystore ssp_keystore_new.jks
Verify that the CA root, any intermediate certificates, and the SSP signed certificate all appear as entries in the keystore output.
Notes
Identifying Your Alias and Keystore Names: If you are unsure of the alias name used for your private key, list all entries in your keystore with the following command:
../java/latest/bin/keytool -list -keystore <your-keystore>.jks
The alias name will appear next to each
PrivateKeyEntry in the output.-
Intermediate Certificates: Not all CAs provide intermediate certificates. If your CA only provided a root certificate and the signed certificate, skip Step 3 of the Resolution. If you are unsure whether intermediate certificates were provided, check the certificate bundle supplied by your CA — it will typically contain multiple
.ceror.crtfiles. -
Activating the SSP CA-Signed Certificate After Import: Once the certificate has been successfully imported into the SSP keystore, additional activation steps are required in the PrimeKit configuration. Refer to the RSA SecurID Access PrimeKit Quick Install Guide (attached to this article) for the certificate activation procedure.
-
Certificate Format Tip: Keytool expects certificates in DER (binary) or PEM (Base64) format. If your CA delivered the certificate in a different format (e.g.,
.pfxor.p12), convert it before importing. To check if a.cerfile is PEM format, open it in a text editor — if it starts with-----BEGIN CERTIFICATE-----, it is PEM and compatible with keytool.
Attachments
If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).
Related Articles
RSA PrimeKit Quick Install Guide 166Number of Views This certificate or its signing CA is not valid error when importing a certificate chain in RSA Authentication Manager 8.x… 971Number of Views How to create and configure certificates for HTTPS access when using intermediate CA certs in RSA Identity Governance & Li… 1.07KNumber of Views How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings. 806Number of Views Unable to Resolve User by Login ID and/or Alias or Authenticator Not Assigned to User When Attempting to Authenticate via … 2.14KNumber of Views
Trending Articles
RSA Authentication Manager 8.9 Setup and Configuration Guide How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings. RSA Authentication Manager 8.9 Release Notes (January 2026) Configure RSA Authentication Manager as a Secure Proxy Server for Cloud Access Service RSA Authentication Manager Upgrade Process
Don't see what you're looking for?