Error "keytool error: java.lang.Exception: Failed to establish chain from reply" when importing the SSP CA signed certificate into the SSP Keystore

3 years ago

Originally Published: 2023-01-16

Article Number

000068063

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Prime

Issue

When importing the SSP CA signed certificate into the SSP keystore, the below error is returned:

"keytool error: java.lang.Exception: Failed to establish chain from reply"

Cause

This error is returned when the CA root certificate is not imported into the SSP keystore.

Resolution

To resolve this error, you will need to import the CA root certificate, followed by the intermediate certificates.

Import the CA root certificate into the SSP keystore by issuing the below command:

../java/latest/bin/keytool -import -trustcacerts -alias caroot -file caroot.cer -keystore ssp_keystore_new.jks

Import the SSP CA signed certificate into the SSP keystore by issuing the below command. Note: You must reference the alias name when importing. In this example, the private key alias name is 'ssp':
```
../java/latest/bin/keytool -import -alias ssp -file ssp.cer -keystore ssp_keystore_new.jks
```

Notes:

The private key alias and keystore names will vary from one keystore to the other. Make sure to correctly specify those names. In this example, the private key alias name is 'ssp' and the keystore name is 'ssp_keystore_new.jks'.
For activating the SSP CA Signed Certificate, refer to page 97 in the attached "RSA SecurID Access PrimeKit Quick Install Guide".

Attachments

If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change