Authentication Manager Prime: SSP Keystore Import Fails with "Failed to Establish Chain from Reply"
20 hours ago
Originally Published: 2023-01-16
Article Number
000068063
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Prime
Issue
When running the keytool command to import a CA-signed certificate into the SSP keystore, the command fails immediately and the certificate is not imported.
Observable symptoms:
  • The keytool import command exits with an error — the certificate is not added to the SSP keystore.
  • The Self-Service Portal (SSP) continues to use the existing certificate.
Error displayed in the terminal:
 
keytool error: java.lang.Exception: Failed to establish chain from reply
Cause
The CA root certificate (and any intermediate certificates) have not been imported into the SSP keystore before the CA-signed certificate was imported.
Keytool requires a complete, verified certificate trust chain to exist in the keystore before it can import a signed certificate. When the CA root and intermediate certificates are absent, keytool cannot trace the chain of trust from the signed certificate back to a trusted root — and rejects the import entirely.
This commonly occurs when administrators import the CA-signed certificate directly without first importing the CA root and intermediate certificates in the correct order.
Resolution
⚠️ CAUTION: The private key alias name and keystore file name will vary between environments. Replace caroot, ssp, and ssp_keystore_new.jks in the commands below with the values specific to your keystore. If you are unsure of your alias names, run keytool -list -keystore <your-keystore>.jks to list all entries.
 
Step 1: Navigate to the PrimeKit certificates directory:
cd /opt/rsa/primekit/certificates
 
Step 2: Import the CA root certificate into the SSP keystore:
../java/latest/bin/keytool -import -trustcacerts -alias caroot -file caroot.cer -keystore ssp_keystore_new.jks

 

Enter the keystore password when prompted. Type yes to trust the certificate when asked.
Expected result: Certificate was added to keystore
 
Step 3: If your CA provided intermediate certificates, import each one before proceeding. Repeat this command for each intermediate certificate, using a unique alias (e.g., intermediate1, intermediate2):
 
../java/latest/bin/keytool -import -trustcacerts -alias intermediate1 -file intermediate.cer -keystore ssp_keystore_new.jks

 

Enter the keystore password when prompted. Type yes to trust the certificate when asked.
Expected result: Certificate was added to keystore
 
Step 4: Import the SSP CA-signed certificate into the SSP keystore. Use the exact alias that was used when the private key was originally created (in this example, the alias is ssp):
../java/latest/bin/keytool -import -alias ssp -file ssp.cer -keystore ssp_keystore_new.jks

 

Enter the keystore password when prompted.
Expected result: Certificate reply was installed in keystore
 
Step 5 (Verification): Confirm all certificates have been successfully imported by listing the keystore contents:
../java/latest/bin/keytool -list -keystore ssp_keystore_new.jks

 

Verify that the CA root, any intermediate certificates, and the SSP signed certificate all appear as entries in the keystore output.
 
 
Notes
Identifying Your Alias and Keystore Names: If you are unsure of the alias name used for your private key, list all entries in your keystore with the following command:
 
../java/latest/bin/keytool -list -keystore <your-keystore>.jks
 
The alias name will appear next to each PrivateKeyEntry in the output.
  • Intermediate Certificates: Not all CAs provide intermediate certificates. If your CA only provided a root certificate and the signed certificate, skip Step 3 of the Resolution. If you are unsure whether intermediate certificates were provided, check the certificate bundle supplied by your CA — it will typically contain multiple .cer or .crt files.
  • Activating the SSP CA-Signed Certificate After Import: Once the certificate has been successfully imported into the SSP keystore, additional activation steps are required in the PrimeKit configuration. Refer to the RSA SecurID Access PrimeKit Quick Install Guide (attached to this article) for the certificate activation procedure.
  • Certificate Format Tip: Keytool expects certificates in DER (binary) or PEM (Base64) format. If your CA delivered the certificate in a different format (e.g., .pfx or .p12), convert it before importing. To check if a .cer file is PEM format, open it in a text editor — if it starts with -----BEGIN CERTIFICATE-----, it is PEM and compatible with keytool.

 

Attachments
If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).