search cancel

SSL Configuring OneClick using an externally generated private.key file

book

Article ID: 214715

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

I was provided a new certificate including a private.key file to update OneClick's certificate file and I need to import the files.

private.key
oneclickserver.cer

Cause


Importing a certificate generated outside the keytool utility.

Environment

Release : 10.4.x

Component : Spectrum OneClick

Resolution


The java keytool utility is currently unable to import a private key into a jks store. To accomplish this task we will need
  to use the openssl utility to convert the files to a pkcs12 store and then use java keytool to convert the pkcs12
  store to a jks store.

Provided files

private.key
spectrum.cer

The steps we took to convert and use these files

1. Rename the existing cacerts file in $SPECROOT/custom/keystore/


2. Convert Private.key and the cert to a pkcs12 store using openssl

     openssl pkcs12 -export -in spectrum.cer -inkey private.key -out spectrum.p12 -name tomcatssl


3. Convert the pkcs12 store to a jks store using the java keytool utility

keytool -importkeystore -destkeystore cacerts -deststoretype jks -deststorepass changeit -destkeypass changeit -srckeystore spectrum.p12 -srcstoretype pkcs12 -srcalias tomcatssl -destalias tomcatssl 


4. Re-import other certs being used, for example
     
    If using LDAP with TLS: reimport the LDAP cert
        keytool -import -alias ldap -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <ldap_certificate_filename>

    If integrating with CAPM via https, import the CAPM certificate
      keytool -import -alias capm -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <capm_certificate_filename>


5. Spectrum OneClick tomcat

    - stoponeclick tomcat
         cd $SPECROOT/tomcat/bin
         ./stopTomcat.sh

    - rename the existing cacerts file in $SPECROOT/custom/keystore/ to another name
    - copy the cacerts file generated above (step3) to $SPECROOT/custom/keystore/ 
    - start OneClick tomcat
         cd $SPECROOT/tomcat/bin/
         ./startTomcat.sh

6. If Tomcat doesn't start, and the error message: "the trustanchors parameter must be non-empty" is seen in catalina.out, it might be necessary to do next:

6.1 If you have the root chain certificate as a .cer file, you can import it as follow in the cacerts keystore:

      keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <root_chain_certificate_filename>