Issue replacing SSL certificate with renewed one on Tomcat 6.0 (using keytool)

Question

I have SSL up and running and in use with a Tomcat 6.0 webapp. Recently, the SSL cert (A VeriSign cert) expired , I exported a Certificate Sign Request (CSR) went through the process, and received a certificate file with the correct information. The key algorithm is RSA.

The problem occurs when I attempt to import the new cert over the old cert. The following is the output from what happens running keytool

D:\keystore>keytool -import -alias tomcat -keyalg RSA -keystore .keystore -trustcacerts -file D:\keystore\Certificates\tomcat_dev.cer

Enter keystore password:

keytool error: java.lang.Exception: Failed to establish chain from reply

FYI, password is being left as the default "changeit" (it's just a test dev server).

I'm sure the error is on my part, but I'm not sure how to remedy. Do I need to replace the intermediate CA as well?

A little out of leads here and would appreciate any and all advice. Thanks in advance!

Answer 1

Yes, you'll have to include/replace the Intermediate as well, and do so before importing the new certificate. Most SSL vendors are chaining through intermediates these days, which adds steps.

Answer 2

I found out the problem -- I had been using "-keyalg RSA" but not specifying "-keysize 2048". Therefore, the certificate was defaulting to 1024 instead of 2048 and failing.

Adjusting this caused everything to work completely correctly.