Following are a few important point points to keep in mind when you are renewing an expired certificate:
Use the same certificate authority that you used when you first got the public certificate. If you use a different certificate authority for certificate renewal, you will have to import the new CA-certificate as well as the intermediate certificates to the keystore and the client’s trust store.
If the certificate authority’s certificate is not in the keystore, you will get the following error when you try to import the CA-signed certificate to the keystore:
keytool error: java.lang.Exception: Failed to establish chain from reply
To overcome the above error, be sure to first import the CA-signed certificate as well as the intermediate certificates to the keystore in the correct order.