CA digital certificate and Keytool error: java.lang.Exception: Unable to create a link from the reply for help

Source: Internet
Author: User
Tags decrypt asymmetric encryption

Idle boring, so is to use Keytool to create a certificate, and submitted to the CA to obtain a free 30 days certification, but the final import certificate when the report

Keytool error:java.lang.Exception:Failed to establish chain from reply

Keytool Error: Java.lang.Exception: Unable to establish a link from the reply.

To create a Keytool article see: http://www.chinaunix.net/jh/13/456376.html, note that the certificate name imported in step fifth is client.cer rather than CLIENT.CRT. It is expected to reprint too much of their own beautiful operation, so did not find this problem.

Since the error is wrong, it can only be solved. The reasons for this error from the Internet are:

1.CA Root certificate is updated, I am using the old one. ----This error I ruled out, my root certificate is the CA directly email to my address download, the theory is the latest, I have seen the root frame number, 2009-2019 years, no problem

2.

Use the Keytool in JDK4.1 to install the webserver certificate, download the certificate normally, but error when importing the certificate using Keytool: Keytool error:java.lang.Exception:Failed to establish Chain from reply

reason : The user is using a Linux system with multiple JDK installed, but the JDK path in the system environment variable is not the same as the JDK path that generated the certificate request.
Workaround : Modify the settings for the environment variable, or use the absolute path to perform the Keytool. See: Http://www.cfca.com.cn/help/jishu-WS-1-5.htm

This site is very authoritative Ah, my machine is loaded with a number of JDK, so I took the absolute path to create a certificate, the result is wrong. No way, just to find a new machine to use, install the JDK, and then start to create the certificate, the result is the same failure.

finally I have no language, once suspected is not the reason of JDK6 or http://www.chinaunix.net this address by our network shield, cause we cannot authenticate. Formal certificates are for money, and it is not known which CA Center can provide this free test certificate. Hope that a Master can guide twos.

All right. Since I can not create a certificate, but also between the evil to fill the basic information of the digital certificate, I will be a summary of the following.

Keys and certificates: (see:http://www.microsoft.com/china/technet/security/guidance/secmod39.mspx)

Asymmetric encryption uses a public/dead key pair. Data that is encrypted with the private key can only be decrypted using the corresponding public key, and vice versa.

As the name suggests, a public key is a key that can be provided to many people. Instead, the private key is unique to a particular individual. The distribution mechanism used to transfer the public key to the user is a certificate. Typically, a certification authority (CA) signs a certificate to confirm that the public key comes from the body that claims to send the public key. A CA is a mutually trusted entity.

The typical implementation of digital authentication includes the certificate signing process. Case:

1.

Wang Li sends a signed certificate request (containing her name, public key, and possibly some other information) to the CA.

2.

The CA uses Wang Li's request to create a message. The CA uses its private key to sign the message in order to create a separate signature. The CA returns the message and signature to Wang Li. The message and the signature together constitute the Wang Li's certificate.

3.

Wang has sent her certificate to Li Hua to authorize him to visit her public key.

4.

Li Hua uses the CA's public key to authenticate the certificate signature. If the signature is valid, he acknowledges that the public key in the certificate is the public key of Wang Li.

There are several professional names, the university has learned, but a long time does not have a little forgotten, make a note to mention the point:

Digital signature (see:http://baike.baidu.com/view/7626.htm):

Digital signature (also known as public key digital signature, electronic signature) is a kind of common physical signature written on paper, but it is used in the domain of public key cryptography to identify the method of digital information. A set of digital signatures usually defines two complementary operations, one for signature and the other for verification.

The above statement is more abstract, I give a scene:

I need to encrypt the name of a certain star, such as Donnie Yen.

1. I will share the public key first to User B, so that we have agreed to sign the way

2. I use the private key to the message body that is, Donnie Yen encryption, the encrypted data is signed (assuming 1111)

3. I send the message body and signature (Donnie Yen, 1111) to the B

4. User B uses the public key I shared previously to decrypt the digital signature, which is 1111, and if it is Donnie yen, if it is, then this information is sent by me.

Of course, User B is sent to me with a public key digital signature, and I decrypt it with the private key.

CA Root certificate (see: http://baike.baidu.com/view/554880.htm)

After understanding the digital signature, you also know the role of the CA root certificate, where the key and certificate where the CA use its private key to the message sent by Wang Li to sign, create a separate signature, this shows that the CA root certificate can actually understand my CA share to the world's public key, Use this public key to go to Wang Li's certificate is the certificate that Wang Li originally submitted to the CA for filing. Of course, this is my one-sided understanding, welcome to have experts point out more detailed information, the above address connection is not very detailed.

PS: Finally provide a more detailed introduction to the Keytool site: http://www.infosecurity.org.cn/article/pki/case/23823.html

For us this kind of poor English, still need more Chinese translation is good, of course, I also work hard to learn English ^_^ ~

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.