search cancel

SSL Configuring OneClick using an externally generated private.key file


Article ID: 214715


Updated On:


CA Spectrum


I was provided a new certificate including a private.key file to update OneClick's certificate file and I need to import the files.



Importing a certificate generated outside the keytool utility.


Release : 10.4.x

Component : Spectrum OneClick


The java keytool utility is currently unable to import a private key into a jks store. To accomplish this task we will need
  to use the openssl utility to convert the files to a pkcs12 store and then use java keytool to convert the pkcs12
  store to a jks store.

Provided files


The steps we took to convert and use these files

1. Rename the existing cacerts file in $SPECROOT/custom/keystore/

2. Convert Private.key and the cert to a pkcs12 store using openssl

     openssl pkcs12 -export -in spectrum.cer -inkey private.key -out spectrum.p12 -name tomcatssl

3. Convert the pkcs12 store to a jks store using the java keytool utility

keytool -importkeystore -destkeystore cacerts -deststoretype jks -deststorepass changeit -destkeypass changeit -srckeystore spectrum.p12 -srcstoretype pkcs12 -srcalias tomcatssl -destalias tomcatssl 

4. Re-import other certs being used, for example
    If using LDAP with TLS: reimport the LDAP cert
        keytool -import -alias ldap -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <ldap_certificate_filename>

    If integrating with CAPM via https, import the CAPM certificate
      keytool -import -alias capm -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <capm_certificate_filename>

5. Spectrum OneClick tomcat

    - stoponeclick tomcat
         cd $SPECROOT/tomcat/bin

    - rename the existing cacerts file in $SPECROOT/custom/keystore/ to another name
    - copy the cacerts file generated above (step3) to $SPECROOT/custom/keystore/ 
    - start OneClick tomcat
         cd $SPECROOT/tomcat/bin/

6. If Tomcat doesn't start, and the error message: "the trustanchors parameter must be non-empty" is seen in catalina.out, it might be necessary to do next:

6.1 If you have the root chain certificate as a .cer file, you can import it as follow in the cacerts keystore:

      keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <root_chain_certificate_filename>