keytool error: java.lang.Exception: Failed to establish chain from reply

Question

Generate keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore my.keystore -keysize 2048

Generate certificate signing request (CSR)

Answer 1

I struggled with the same problem for about two weeks until I found a way around it. The problems was that the root and intermediate certificates that came with my certificate from Godaddy were not the ones I needed. I looked many times in Godaddy's repository unable to find the suitable certificates.

I viewed my certificate on my laptop (using Windows 8.1). There I saw the certificate chain, and I was able to export the root and intermediate certificates. Then I imported them to my keystore and it worked as it should.

To do this follow this instructions:

1. View your certificate on a computer running Windows. You will be able to see the certificate chain on the third tab that looks as the following image.

2. Select the root certificate from the chain and click on the button "View Certificate".

3. A new window opens, go to the second tab and click on the "Save File" button. This opens an export wizard for your ceritficate.
4. When exporting, select the X.509 base 64 option and follow the instructions. Save the file.
5. Repeat for the intermediate certificate.
6. Upload both certificates to your server and import into the keystore following the order - first root, second intermediate and finally your certificate. [It's not necessary to import the root certificate]

NOTE: Before I imported those certificates, I had to delete the ones that were on my keystore and were not working. To do so, I used the following instructions:

keytool -delete -alias [root] -keystore [keystore file]

If you are not sure what is inside your keytool, you can view by using:

keytool -list -keystore [keystore file]