Trouble with Keytool importing Certificate


#1

Hello, I am running a webserver using SparkJava which uses keytool java keystores like to apache tomcat. I am trying to move from flexible to full ssl. I generated a keystore with
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore sovietbot.xyz.jks
and then generated my certificate signing request with
keytool -certreq -alias server -file sovietbot.xyz.csr -keystore sovietbot.xyz.jks
I uploaded the .csr to cloudflare when I was creating a free origin certificate and downloaded the certificate as a pkcs#7 key (.p7b)
Then, I attempted to import the certificate to the keystore with
keytool -import -trustcacerts -alias server -file sovietbot.xyz.pem -keystore sovietbot.xyz.jks
but I get the error
keytool error: java.lang.Exception: Failed to establish chain from reply
I have no idea how to fix this and any input would be much appreciated.


#2

hi @sam.obrien00 - are you still having issues? If so, please let us know.


#3

No, I resolved my problem. I was using the root certificates for the outward facing Universal SSL certificates from: What intermediates and roots are Cloudflare-issued certs signed against?. When I setup my keystore using the correct root certificate from What are the root certificate authorities (CAs) used with Cloudflare Origin CA?, my setup worked fine. Thank you for your concern!


#4

I’m facing the same error but adding the Cloudflare Origin CA — RSA Root from the posted link doesn’t help.

Do I just have to concatenate the RSA Root certificate with my PKCS7 certificate?
My file cert.p7b looks like:

-----BEGIN PKCS7-----
...
-----END PKCS7-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Is the order or the extensions of my files important?

P.S. I’m using an embedded tomcat in a spring boot application