Product: TIBCO Spotfire Server
Versions: All
Summary:
When importing a CA issued certificate to a Spotfire Server Java keystore, you get the error "Failed to establish chain from reply". This can be a result of the root and/or intermediate certificates not having been imported properly or in the correct order.
Details:
You try to import a CA-issued certificate to the TIBCO Spotfire Server Java keystore by running a command like the following:
<Spotfire-Server-home>\<version>\jdk\bin>keytool -import -alias spotfire -file <Spotfire-Server-home>\<version>\tomcat\certs\servercert.cer -keystore <Spotfire-Server-home>\<version>\tomcat\certs\spotfire.jks
But you get an error message:
keytool error: java.lang.Exception: Failed to establish chain from reply
This can happen when the system fails to build a complete chain of certificates leading back to a trusted root certificate authority, because root and/or Intermediate certificates have not been imported properly or not in correct order.
Resolution:
Option A
Ask the CA admin to provide the certificate in .p7b format which exports the chain along with Root and intermediate certificates. You can then run the below command to import the certificate:
keytool -import -alias spotfire -file <Spotfire-Server-home>\<version>\tomcat\certs\servercert.p7b -keystore <Spotfire-Server-home>\<version>\tomcat\certs\spotfire.jks
Option B
Follow the below steps to import the certificates individually, once you have the .p7b format certificate:
- View your certificate on a computer running Windows. You will be able to see the certificate chain on the third tab that looks like the following image:
- Select the root certificate from the chain and click on the button "View Certificate".
- A new window opens, go to the second tab and click on the "Save File" button. This opens an export wizard for your certificate.
- When exporting, select the X.509 base 64 option and follow the instructions. Save the file.
- Repeat for the intermediate certificate.
- Copy both certificates to your server and import them into Spotfire keystore in the following order - first root, second intermediate and, finally, your server certificate using the below commands:
keytool -import -alias spotfire -file <Spotfire-Server-home>\<version>\tomcat\certs\Rootcert.cer -keystore <Spotfire-Server-home>\<version>\tomcat\certs\spotfire.jks
keytool -import -alias spotfire -file <Spotfire-Server-home>\<version>\tomcat\certs\Intermediate.cer -keystore <Spotfire-Server-home>\<version>\tomcat\certs\spotfire.jks
keytool -import -alias spotfire -file <Spotfire-Server-home>\<version>\tomcat\certs\servercert.cer -keystore <Spotfire-Server-home>\<version>\tomcat\certs\spotfire.jks
Comments
0 comments
Article is closed for comments.