Unable to import CA reply
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The content on this page relates to platforms that are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.
Summary
On following Running Jira applications over SSL or HTTPS to renew certificates - on steps 13 to 17:
13. You should generate a Certificate Signing Request for the CA to sign and confirm the identity of the certificate. To do so, right-click the certificate and choose Generate CSR. Save it in <Jira_HOME>/jira.csr.
14. Submit the CSR to the CA for signing. They'll provide a signed certificate (CA reply) and a set of root or intermediate CA certificates.
15. Import the root or intermediate CA certificates with Import Trusted Certificate, repeating this step for each certificate.
16. Import the signed certificate by right-clicking the jira certificate and selecting Import CA Reply.
You may face the following error:
- Via Portecle:
Could not establish trust for the CA Reply. Import cannot proceed.
- Via Keytool:
keytool error: java.lang.Exception: Failed to establish chain from reply
Environment
Jira Data Center
Tomcat
Diagnosis
A simplified version of the certificate chain could be like the following:
Cause
The intermediate CA certificate has changed since it was imported into the Java Keystore.
Solution
Contact the signing CA to get the new Root and intermediate CA certificates.