Need help importing SSL certificate for Tomcat 5.5


I’m attempting to import a new Cloudflare-generated SSL certificate, but the following error is generated:
keytool error: java.lang.Exception: Failed to establish chain from reply

We’re running Tomcat 5.5 and here are the steps I’ve taken:

keytool -genkey -alias [sitename] -keyalg RSA -keystore vbskeystore -keysize 2048

keytool -certreq -keyalg RSA -alias [sitename] -file certreq.csr -keystore vbskeystore

I then import the CSR to generate the a PB7 file on Cloudflare’s site, create a PB7 file on the server and run the following command:

keytool -import -trustcacerts -alias [sitename] -file vbstest.p7b -keystore vbskeystore

This is when the error appears: keytool error: java.lang.Exception: Failed to establish chain from reply

Any help would be greatly appreciated!

It seems the import tries to verify the certificate and fails to do so because of missing intermediate certificates. You can download the one appropriate for your certificate from

Thank you so much! I sincerely appreciate your assistance and will give your suggestion a try, right now.

My apologies, but I’m curious: Being I created a PB7 cert for our site (using Cloudflare certificate creation tool), do I need to bundle the custom generated PB7 cert with the certs you referred to in your response or simply import all three individually?

That I cant tell you, but you simply need to make sure the certificate chain is available in its entirety. Otherwise it doesnt seem to be able to verify it.

Thank you for you help. I appreciate it!

This topic was automatically closed after 30 days. New replies are no longer allowed.