Hi In keytool's installReply(), there is:
if (replyCerts.length == 1) { // single-cert reply newChain = establishCertChain(userCert, replyCerts[0]); } else { // cert-chain reply (e.g., PKCS#7) newChain = validateReply(alias, userCert, replyCerts); } If the trust cannot be setup with a known trust anchor, in establishCertChain(), the import simply fails; in validateReply(), a prompt is displayed, and if you type yes, it's imported. This means the user experience is different between directly applying for a cert from a root CA (in which the reply is a single cert) and from an intermediate CA (in which the reply includes the user's cert and the CA's cert), when the root CA is not in user's cacerts. Is this rational? Why isn't validateReply() always be called? Thanks Max