When trying to import a PKCS#7 chain, the docs for keytool -import say:
===========
If the reply is a PKCS#7 formatted certificate chain, the chain is first ordered (with the user certificate first and the self-signed root CA certificate last), before keytool attempts to match the root CA certificate provided in the reply with any of the trusted certificates in the keystore or the "cacerts" keystore file (if the -trustcacerts option was specified). If no match can be found, the information of the root CA certificate is printed out, and the user is prompted to verify it, e.g., by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the root CA itself. The user then has the option of aborting the import operation.
===========
The actual operation of keytool is not what's written above. See attachment
for the script which combines an OpenSSL CA with keytool operations.
The following shows what happens when you try to import a reply without
a trust cert installed in the keystore.
*******************************************
Original keystore that had a CSR issued.
[wetmore@bongos] 601 >keytool -list -v -keystore keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: server
Creation date: Jun 8, 2004
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, L=SCA, ST=CA, C=US
Issuer: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, L=SCA, ST=CA, C=US
Serial number: 40c629db
Valid Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUCD
Certificate fingerprints:
MD5: E9:E0:66:B1:25:30:5D:09:11:AF:4F:C3:73:48:D6:83
SHA1: 29:14:5F:0B:38:55:17:9D:9A:31:C6:2A:14:FD:99:FE:D6:95:AC:96
*******************************************
Reply we got from CA. Can't import reply.
[wetmore@bongos] 603 >keytool -printcert -file server.csr.der
Owner: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, ST=CA, C=US
Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Serial number: 1
Valid Wrom: DJBLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJ
Certificate fingerprints:
MD5: 25:5C:7B:0C:CB:70:38:64:A1:22:7A:6E:AF:7B:12:81
SHA1: EA:8C:C7:EE:7F:D9:E4:EC:9E:DC:1F:F6:C7:3A:49:4D:DC:75:5D:37
[wetmore@bongos] 604 >keytool -import -keystore keystore -alias server -file server.csr.der
Enter keystore password: changeit
keytool error: java.lang.Exception: Failed to establish chain from reply
*******************************************
CA's trusted cert. Import this and then we can do the above.
[wetmore@bongos] 602 >keytool -printcert -file ca.crt
Owner: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Serial number: 0
Valid Wrom: JPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULHPQ
Certificate fingerprints:
MD5: 85:70:6A:86:B6:BB:FA:9B:74:C3:23:21:EF:CF:10:3A
SHA1: 49:E8:30:DF:C8:FC:6A:66:05:A2:AD:F7:D2:FB:DD:2A:10:79:A0:9F
[wetmore@bongos] 607 >keytool -import -keystore keystore -alias CA -file ca.crt Enter keystore password: changeit
Owner: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Serial number: 0
Valid Wrom: QWOYIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVW
Certificate fingerprints:
MD5: 85:70:6A:86:B6:BB:FA:9B:74:C3:23:21:EF:CF:10:3A
SHA1: 49:E8:30:DF:C8:FC:6A:66:05:A2:AD:F7:D2:FB:DD:2A:10:79:A0:9F
Trust this certificate? [no]: yes
Certificate was added to keystore
*******************************************
No problem now.
[wetmore@bongos] 609 >keytool -import -keystore keystore -alias server -file server.csr.der
Enter keystore password: changeit
Certificate reply was installed in keystore
###@###.### 2004-06-08
===========
If the reply is a PKCS#7 formatted certificate chain, the chain is first ordered (with the user certificate first and the self-signed root CA certificate last), before keytool attempts to match the root CA certificate provided in the reply with any of the trusted certificates in the keystore or the "cacerts" keystore file (if the -trustcacerts option was specified). If no match can be found, the information of the root CA certificate is printed out, and the user is prompted to verify it, e.g., by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the root CA itself. The user then has the option of aborting the import operation.
===========
The actual operation of keytool is not what's written above. See attachment
for the script which combines an OpenSSL CA with keytool operations.
The following shows what happens when you try to import a reply without
a trust cert installed in the keystore.
*******************************************
Original keystore that had a CSR issued.
[wetmore@bongos] 601 >keytool -list -v -keystore keystore
Enter keystore password: changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: server
Creation date: Jun 8, 2004
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, L=SCA, ST=CA, C=US
Issuer: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, L=SCA, ST=CA, C=US
Serial number: 40c629db
Valid Wrom: WCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUCD
Certificate fingerprints:
MD5: E9:E0:66:B1:25:30:5D:09:11:AF:4F:C3:73:48:D6:83
SHA1: 29:14:5F:0B:38:55:17:9D:9A:31:C6:2A:14:FD:99:FE:D6:95:AC:96
*******************************************
Reply we got from CA. Can't import reply.
[wetmore@bongos] 603 >keytool -printcert -file server.csr.der
Owner: CN=radiant.sfbay.sun.com, OU=Java, O=Sun, ST=CA, C=US
Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Serial number: 1
Valid Wrom: DJBLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJ
Certificate fingerprints:
MD5: 25:5C:7B:0C:CB:70:38:64:A1:22:7A:6E:AF:7B:12:81
SHA1: EA:8C:C7:EE:7F:D9:E4:EC:9E:DC:1F:F6:C7:3A:49:4D:DC:75:5D:37
[wetmore@bongos] 604 >keytool -import -keystore keystore -alias server -file server.csr.der
Enter keystore password: changeit
keytool error: java.lang.Exception: Failed to establish chain from reply
*******************************************
CA's trusted cert. Import this and then we can do the above.
[wetmore@bongos] 602 >keytool -printcert -file ca.crt
Owner: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Serial number: 0
Valid Wrom: JPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULHPQ
Certificate fingerprints:
MD5: 85:70:6A:86:B6:BB:FA:9B:74:C3:23:21:EF:CF:10:3A
SHA1: 49:E8:30:DF:C8:FC:6A:66:05:A2:AD:F7:D2:FB:DD:2A:10:79:A0:9F
[wetmore@bongos] 607 >keytool -import -keystore keystore -alias CA -file ca.crt Enter keystore password: changeit
Owner: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Issuer: CN=JSSE Test CA, OU=JWS, O=Sun, L=Santa Clara, ST=CA, C=US
Serial number: 0
Valid Wrom: QWOYIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVW
Certificate fingerprints:
MD5: 85:70:6A:86:B6:BB:FA:9B:74:C3:23:21:EF:CF:10:3A
SHA1: 49:E8:30:DF:C8:FC:6A:66:05:A2:AD:F7:D2:FB:DD:2A:10:79:A0:9F
Trust this certificate? [no]: yes
Certificate was added to keystore
*******************************************
No problem now.
[wetmore@bongos] 609 >keytool -import -keystore keystore -alias server -file server.csr.der
Enter keystore password: changeit
Certificate reply was installed in keystore
###@###.### 2004-06-08