I'm in the process of renewing the certificates for each node in my Hadoop cluster. I obtained a certificate file for each of my nodes. But when running the following command, I get the error
keytool error: java.lang.Exception: Failed to establish chain from reply”
sudo keytool -importcert -alias node1 -file node1.cer -keystore keystore.jks
From what I've gathered this happens because I didn't load the root and intermediate CA certificates into the truststore yet.
Looking into the truststore.jks file itself, I can see that I already have root and intermediate CA certificates that are still not expired for a long while. So they've already been loaded.
So is it possible to use these existing root and intermediate CA certificates while importing my new Hadoop node certificate into the keystore?
(Also, I've tried this command alteration but still got the same error:)
sudo keytool -import -alias node1 -trustcacerts -storetype jceks -file node1.cer -keystore keystore.jks
After obtaining root and intermediate CA certificates, and using the following command:
sudo keytool -importcert -alias rootca -keystore cacerts -file /tmp/rootca.crt
Where cacerts is the truststore file.
I get the following message:
Certificate already exists in keystore under alias <...>
So rootca and intermediateca certs are already in my cacerts truststore. So why is keytool not allowing me to import the new certificate into the keystore? (note: I'm trying to import the server certificate into a different file than cacerts)