"Failed to establish chain from reply" appears when loading a custom certificate for use with BlackBerry Administration Service

Article ID: KB23492

Type: Support Content

Last Modified: 07-23-2012


Product(s) Affected:

  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Domino
  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry® Enterprise Server 5.0

When following the steps to load a custom certificate into the web.keystore file for use by the BlackBerry Administration Service per KB12887 and KB20759, the following error may be displayed when attempting to load the custom certificate reply file (BASCert.cer):

keytool error: java.lang.Exception: Failed to establish chain from reply


The CACert.cer file that was generated by the Certificate Authority Server is not a root certificate, but only an intermediate certificate. The BlackBerry Administration Service certificate (BAScert.cer file from the other KB articles) will not load due to a trust issue.


The root certificate from the Certificate Authority Server needs to be obtained and imported separately.

To extract the Root Certificate:

  1. Open the CAcert.cer file by double-clicking it.
  2. Click on the Certification Path tab.
  3. Click on the top-level (root) certificate reference, then click View Certificate.
  4. Click on the Details tab.
  5. Click the Copy to File... button to open the Certificate Export Wizard.
  6. Click Next.
  7. Select DER encoded binary X.509 (.CER) and click Next.
  8. Browse to a folder and select a name for this certificate, for example C:\CARootCert.cer. Click Save.
    If performing this on Windows 2008 Server, C:\ might not be accessible. Select a folder that allows write permissions (C:\Users\username).

  9. Click Next.
  10. Click Finish to write the certificate file and close the wizard.
  11. Click OK to close each Certificate window.

    To load the Root Certificate into the web.keystore file:

    keytool -import -alias rootcert -keystore "C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -file "C:\CARootCert.cer"

    Once the Root Certificate has been loaded into the web.keystore file, the BASCert.cer file will load without incident.


By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.

Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.