Trouble with Keytool importing Certificate


Hello, I am running a webserver using SparkJava which uses keytool java keystores like to apache tomcat. I am trying to move from flexible to full ssl. I generated a keystore with
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore
and then generated my certificate signing request with
keytool -certreq -alias server -file -keystore
I uploaded the .csr to cloudflare when I was creating a free origin certificate and downloaded the certificate as a pkcs#7 key (.p7b)
Then, I attempted to import the certificate to the keystore with
keytool -import -trustcacerts -alias server -file -keystore
but I get the error
keytool error: java.lang.Exception: Failed to establish chain from reply
I have no idea how to fix this and any input would be much appreciated.


hi @sam.obrien00 - are you still having issues? If so, please let us know.


No, I resolved my problem. I was using the root certificates for the outward facing Universal SSL certificates from: What intermediates and roots are Cloudflare-issued certs signed against?. When I setup my keystore using the correct root certificate from What are the root certificate authorities (CAs) used with Cloudflare Origin CA?, my setup worked fine. Thank you for your concern!


I’m facing the same error but adding the Cloudflare Origin CA — RSA Root from the posted link doesn’t help.

Do I just have to concatenate the RSA Root certificate with my PKCS7 certificate?
My file cert.p7b looks like:

-----BEGIN PKCS7-----
-----END PKCS7-----

Is the order or the extensions of my files important?

P.S. I’m using an embedded tomcat in a spring boot application