We use a governance tool for SSL certs and it will not allow us to reuse a private key.

I was able to generate new new cert, private key and chain of trust in pfx format.

How can we import the new cert into tomcat?

Spectrum: All Supported Versions

Old cert expires in a few days,  and the automatic process to update the certs is broken on this host.

The new cert we have does not match the old keystore private key.

Start tomcat using the original keystore and cert to make sure it works.

Stop tomcat and then run these commands:

1. Delete the old cert by alias

/opt/spectrum/Java/jre/bin/keytool -delete -keystore /opt/spectrum/custom/keystore/cacerts -storepass changeit -v -alias <alias>

2. Import the new private key

/opt/spectrum/Java/jre/bin/keytool -v -importkeystore -srckeystore /home/user/file.pfx -srcstoretype PKCS12 -destkeystore /opt/spectrum/custom/keystore/cacerts -deststoretype JKS

Enter the passwords and success.

3. Finally we changed the storepass to match the old info:

/opt/spectrum/Java/jre/bin/keytool -keypasswd  -alias <alias> -keystore /opt/spectrum/custom/keystore/cacerts

And we started tomcat and it come up cleanly and we could login and we verified the new cert was in play.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/22-2/securing/configure-oneclick-for-secure-sockets-layer.html#concept.dita_93a9c4a8b9c7669849f4ba0735c4cff1e7065984_selfsigned