Article Number
000068063
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager Prime
Issue
When importing the SSP CA signed certificate into the SSP keystore, the below error is returned:
"keytool error: java.lang.Exception: Failed to establish chain from reply"
Cause
This error is returned when the CA root certificate is not imported into the SSP keystore.
Resolution
To resolve this error, you will need to import the CA root certificate, followed by the intermediate certificates.
- Navigate to /opt/rsa/primekit/certificates
- Import the CA root certificate into the SSP keystore by issuing the below command:
../java/latest/bin/keytool -import -trustcacerts -alias caroot -file caroot.cer -keystore ssp_keystore_new.jks
- Import the SSP CA signed certificate into the SSP keystore by issuing the below command. Note: You must reference the alias name when importing. In this example, the private key alias name is 'ssp':
../java/latest/bin/keytool -import -alias ssp -file ssp.cer -keystore ssp_keystore_new.jks
Notes:
- The private key alias and keystore names will vary from one keystore to the other. Make sure to correctly specify those names. In this example, the private key alias name is 'ssp' and the keystore name is 'ssp_keystore_new.jks'.
- For activating the SSP CA Signed Certificate, refer to page 97 in the attached "RSA SecurID Access PrimeKit Quick Install Guide".
