"Keytool error: java.lang.Exception: Failed to establish chain from reply" When importing an SSL certificate to Clearwell's keystore

Article:TECH215986  |  Created: 2014-03-21  |  Updated: 2014-03-31  |  Article URL http://www.symantec.com/docs/TECH215986
Article Type
Technical Solution



When importing an SSL certificate to Clearwell's keystore, an error is encountered.


keytool error: java.lang.Exception: Failed to establish chain from reply


Clearwell 7.1.1 - 7.1.5


 Root and/or Intermediate certificates have not been imported properly or in the correct order.


  •  If Root and/or Intermediate certificates have already been imported, remove them.
    • "keytool -delete -alias mydomain -keystore new-server.keystore"
    • DO NOT remove "clearwellkey" alias from keystore.
  • Import the Root certificate.
  • Import the Intermediate certificate
  • Import the Site certificate


  • If whether the certificate is Root or Intermediate is unknown, this information can be obtained by viewing the Site certificate but double-clicking the file:

Example Certification Path

  • In the example above, "Verisign" is the Root certificate, "Verisign Class 3 International Server CA - G3" is the Intermediate certificate, and "mydomain.com" is the Site certificate.
  • If the Root and/or Intermediate certificates are not available, they can be exported from the Certification Path tab as seen in the image above.
  • Double-click the certificate and it will open a new window that looks just like the previous one.
  • Next go to the Details tab and click "Copy to File"

Example Copy To File

  • Click "Next" on the window that opens
  • Choose "Base-64 encoded X.509 (.CER)
  • Click "Next" and choose a filename: "example.cer"
  • Click "Finish" and this file can now be used to import this certificate into Clearwell's keystore.


Article URL http://www.symantec.com/docs/TECH215986

Terms of use for this information are found in Legal Notices