SSL Configuring OneClick using an externally generated private.key file
search cancel

SSL Configuring OneClick using an externally generated private.key file


Article ID: 214715


Updated On:


CA Spectrum


I was provided a new certificate including a private.key file to update OneClick's certificate file and I need to import the files.



Release : 10.4.x, 22.1.x, 22.2.x

Component : Spectrum OneClick


Importing a certificate generated outside the keytool utility.


The java keytool utility is currently unable to import a private key into a jks store. To accomplish this task we will need
  to use the openssl utility to convert the files to a pkcs12 store and then use java keytool to convert the pkcs12
  store to a jks store.

Provided files


The steps we took to convert and use these files

1. Rename the existing cacerts file in $SPECROOT/custom/keystore/

2. Convert Private.key and the cert to a pkcs12 store using openssl

     openssl pkcs12 -export -in spectrum.cer -inkey private.key -out spectrum.p12 -name tomcatssl

3. Convert the pkcs12 store to a jks store using the java keytool utility

keytool -importkeystore -destkeystore cacerts -deststoretype jks -deststorepass changeit -destkeypass changeit -srckeystore spectrum.p12 -srcstoretype pkcs12 -srcalias tomcatssl -destalias tomcatssl 

4. Re-import other certs being used, for example
    If using LDAP with TLS: reimport the LDAP cert
        keytool -import -alias ldap -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <ldap_certificate_filename>

    If integrating with CAPM via https, import the CAPM certificate
      keytool -import -alias capm -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <capm_certificate_filename>

5. Spectrum OneClick tomcat

    - stoponeclick tomcat
         cd $SPECROOT/tomcat/bin

    - rename the existing cacerts file in $SPECROOT/custom/keystore/ to another name
    - copy the cacerts file generated above (step3) to $SPECROOT/custom/keystore/ 
    - start OneClick tomcat
         cd $SPECROOT/tomcat/bin/

6. If Tomcat doesn't start, and the error message: "the trustanchors parameter must be non-empty" is seen in catalina.out, it might be necessary to do next:

6.1 If you have the root chain certificate as a .cer file, you can import it as follow in the cacerts keystore:

      keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file <root_chain_certificate_filename>

or follow article 129913 (

Additional Information

You can execute the same steps in case customer's supplied files are .pem 


spectrum.pem (full chain certificate file)

As the key is encrypted you will also need the passphrase to decrypt it in step 2.