When you import signed certificates for the Data Loss Prevention (DLP) Enforce console, you see the error, "keytool error: java.lang.Exception: Failed to establish chain from reply."
The Certificate Authority (CA) sends you a signed certificate in response to your certificate signing request (CSR). The self-signed certificate must return the root certificate along with the signed certificate.
Place the signed certificate into the directory (<drive>\vontu\jre\bin) with the .keystore file.
If the signed certificate is provided in the body of an email, paste it into a text document exactly as it appears on the screen, including the top and bottom lines:
Save this file in the same directory where the .keystore file is located. If the signed certificate is provided as an attachment to an email, copy this file into the same directory where the .keystore file is located.
Use the following command to update the .keystore file with the signed certificate:
For example, as of April 2006, all SSL certificates purchased through the Symantec (formerly VeriSign) Web site require the installation of an Intermediate Certificate Authority (CA) Certificate. The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of your SSL certificates.
Note: This has also been seen to happen where the signed certificate received (from Veri-sign) was in the wrong format (x509 instead of PKCS#7). If so, obtain the correct format for the signed cert, and re-try importing to the .keystore.
Imported Document ID: TECH220191
Subscribing will provide email updates when this Article is updated. Login is required.