I have Fault Tolerant ( Primary and Backup ) Main Location Server ( MLS ) with OneClicks and two separate OneClicks in customer environment. 

How to generate:

1. Self-signed certificate in cacerts which tomcat and webtomcat will use

2. The same as above but CSR files ( in the future these CSRs will be signed ).

Fault Tolerant Spectrum

Guidance for certificate creation

1. Move to $SPECROOT/Java/bin 

2. Generate Private key to both OneClick servers:

keytool -genkey -alias tomcatssl -keyalg RSA -keystore <path_to_cacerts> -ext SAN=dns:FQDN1,dns:FQDN2,ip:<IP>,ip:<IP>"

3. Then to confirm the SAN was added, execute next:

keytool -list -v -keystore <path_to_cacerts>

4. Then create the Certificate Signing Request ( CSR ):

keytool -certreq -alias tomcatssl -keystore <path_to_cacerts> -ext SAN=dns:FQDN1,dns:FQDN2,ip:<IP>,ip:<IP>" -file cert-req.csr

• SAN parameters must be specified and match the ones from step 2

5. Check the certificate requested included the SAN extension, with next command line

keytool -printcertreq -file cert-req.csr

6.1 Self-signed certificate:

• Generate certificate from CSR
  
  keytool -gencert -alias tomcatssl -keystore <path_to_cacerts> -infile cert-req.csr -outfile /usr/cert_signed.pem -rfc

ref:
http://certificate.fyicenter.com/117_keytool-gencert_Command_Examples-Sign_CSR.html

6.2 CA signed - send CSR to CA authority

7. Import certificate:

Import the certificate following the steps described in the documentation:
Import a CA-Signed Certificate

Configure OneClick for HTTPS