I was provided a new certificate including a private.key file to update OneClick's certificate file and I need to import the files.

private.key
oneclickserver.cer

All supported releases of DX NetOps Spectrum

Importing a certificate generated outside the keytool utility.

The java keytool utility is currently unable to import a private key into a jks store. To accomplish this task we will need
  to use the openssl utility to convert the files to a pkcs12 store and then use java keytool to convert the pkcs12
  store to a jks store.

Provided files

private.key
spectrum.cer

The steps we took to convert and use these files

1. Rename the existing cacerts file in $SPECROOT/custom/keystore/

2. Convert Private.key and the cert to a pkcs12 store using openssl

     openssl pkcs12 -export -in spectrum.cer -inkey private.key -out spectrum.p12 -name tomcatssl

3. Convert the pkcs12 store to a jks store using the java keytool utility

keytool -importkeystore -destkeystore cacerts -deststoretype jks -deststorepass changeit -destkeypass changeit -srckeystore spectrum.p12 -srcstoretype pkcs12 -srcalias tomcatssl -destalias tomcatssl 

4. Re-import other certs being used, for example
     
    If using LDAP with TLS: reimport the LDAP cert
        keytool -import -alias ldap -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <ldap_certificate_filename>

    If integrating with CAPM via https, import the CAPM certificate
      keytool -import -alias capm -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <capm_certificate_filename>

5. Spectrum OneClick tomcat

    - stoponeclick tomcat
         cd $SPECROOT/tomcat/bin
         ./stopTomcat.sh

    - rename the existing cacerts file in $SPECROOT/custom/keystore/ to another name
    - copy the cacerts file generated above (step3) to $SPECROOT/custom/keystore/ 
    - start OneClick tomcat
         cd $SPECROOT/tomcat/bin/
         ./startTomcat.sh

6. If Tomcat doesn't start, and the error message: "the trustanchors parameter must be non-empty" is seen in catalina.out, it might be necessary to do next:

6.1 If you have the root chain certificate as a .cer file, you can import it as follow in the cacerts keystore:

      keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <root_chain_certificate_filename>

or follow article 129913 (https://knowledge.broadcom.com/external/article?articleId=129913)

You can execute the same steps in case customer's supplied files are .pem 

Encrypted_key.pem

spectrum.pem (full chain certificate file)

As the key is encrypted you will also need the passphrase to decrypt it in step 2.