Using BKS with keytool resulting in Failed to establish chain from reply

2
votes

I am trying to create BKS Key store but unable to Import a Certificate Reply

I am getting error as keytool error: java.lang.Exception: Failed to establish chain from reply

java.lang.Exception: Failed to establish chain from reply
            at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3375)
            at sun.security.tools.KeyTool.installReply(KeyTool.java:2583)
            at sun.security.tools.KeyTool.doCommands(KeyTool.java:998)
            at sun.security.tools.KeyTool.run(KeyTool.java:340)
            at sun.security.tools.KeyTool.main(KeyTool.java:333)

BKS Key store creation steps:

step 1: Create root ca key and ca cert using openssl

openssl req -x509 -newkey rsa:2048 -sha256 -nodes -out cacert.crt -outform PEM -keyout cakey.pem -config openssl-ca.cnf

step 2:Import ca cert to cacerts keystore of keytool as trust CRT

keytool -importcert -alias root-ca -file cacert.crt -keystore cacerts -storepass changeit

step 3:Import certificate to BKS key store as trust CRT

keytool -importcert -storetype BKS -keystore mykeystore.bks -alias root-ca -file cacert.crt -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar

step 4: Generate key pair

keytool -genkeypair -alias java-client2-key -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype BKS -keystore mykeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar

step 5: Generate cert request(CSR)

keytool -certreq -alias java-client2-key -file client2-ugoca.csr -storetype BKS -keystore mykeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar

step 6:Sign the CSR using self signed root CA created in step 1

openssl x509 -req -days 365 -in client2-ugoca.csr -CA cacert.crt -CAkey cakey.pem -set_serial 300661 -out java-client2.crt

step 7: Import the signed certifcate to key store

keytool -v -importcert -alias java-client2-key -file java-client2.crt -trustcacerts -storetype BKS -keystore mykeystore.bks -keypass bks123 -storepass bks123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-154.jar

Note: Able to create java JKS keystore using above steps

Any help is greatly appreciated....!

1
javacryptographybouncycastlekeystorekeytool

1 Answers

1
votes

After Step6: we need to create client CRT with root CRT in it as follows

cat java-client2.crt cacert.crt > client_chain.crt

Then in step 7: import client_chain.crt as below

keytool -v -importcert -alias java-client2-key -file client_chain.crt -trustcacerts -storetype BKS -keystore mykeystore.bks -keypass bks123 -storepass bks123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-154.jar