Certificate rotation

Rotate the certificates in your environment.

Before you begin

Before starting the certificate rotation procedure, make sure the following prerequisites are met:

Generate new certificates by performing one of the following procedures:
- Generate new certificates and a Certificate Authority (CA)
  Note: When you generate new certificates to proceed with the certificate rotation procedure, the password to encrypt the private key must be the same used for the old certificates.
  or
- Generate new certificates from an existing Certificate Authority (CA)
Give root access to the master domain manager and the dynamic agent.

About this task

You can extend the certificate customization also to backup master domain manager, dynamic domain manager, and Dynamic Workload Console.

To perform certificate rotation in your environment without downtime, follow the procedure described below:

Procedure

Create the additionalCAs folder by running the following command:
```
mkdir -p <TWA_DATA_DIR>/ssl/depot/additionalCAs
```
Copy the certificates from the outpath folder into the additionalCAs folder by running the following command:
```
cp outpath/ca.crt TWA_DATA_DIR/ssl/depot/additionalCAs/ca_new.crt
cp SSL_certs_2025/tls.crt TWA_DATA_DIR/ssl/depot/additionalCAs/tls_new.crt
```
Note: If you generated certificates from an existing CA, you do not need to copy ca_new.crt into the additionalCAs folder.
Add the new ca.crt and tls.crt certificates to the CA chain by running the AgentCertificateDownloader script on the backup master domain manager, dynamic agents and fault-tolerant agents:
```
cd <TWS_path>/bin
./AgentCertificateDownloader.sh
  --wauser twsuser
  --wapassword <wauser password> 
  --tdwbhostname <wauser ip address> 
  --tdwbport <master port>
  --work_dir /tmp
```
For more information, see Certificates download to dynamic agents and fault-tolerant agents - AgentCertificateDownloader script
Import the new certificates on the master domain manager and backup master domain manager:
1. Create the additionalCAs folder for the new certificates within the certificates folder generated by Certman by running the following command:
```
mkdir -p <input path>/depot/additionalCAs
```
2. Move the certificates from the TWA_DATA_DIR/ssl/depot folder to the additionalCAs and rename the certificates:
```
cd <TWA_DATA_DIR>/ssl/depot
cp ca.crt additionalCAs/ca_old.crt
cp tls.crt additionalCAs/tls_old.crt
```
The certificates are renewed without downtime.
Import the CA chain by running the following command:
```
certman import -inpath <input path> -all -keypasswd <key pwd> -updatedepot -alias server -forcealias
```
Where:
inpath

Specify the folder that contains the CA chain.

all

Import the certificate, the key and the CA chain.
keypasswd
Specify the password used to encrypt the private key. If all is specified, this value is mandatory. The password requires a length of at least 8 characters.
Note: If the password contains wildcards, enclose the password in single quotes. For example:
-keypasswd 'passw!rd'
updatedepot

Add the parameter to the command to update the master domain manager depot folder located at: <TWSDATA>/ssl/depot

alias server

Specify the server alias to be used in the truststore file during the import.

forcealias

Specify an alias to be used in the truststore file that overwrites the existing alias.
Remove the additionalCAs folder from the depot of the master domain manager:
```
rm -rf <TWA_DATA_DIR>/ssl/depot/additionalCAs
```
Run the AgentCertificateDownloader script on the backup master domain manager, dynamic agents and fault-tolerant agents:
```
cd <TWS_path>/bin
./AgentCertificateDownloader.sh
  --wauser twsuser
  --wapassword <wauser password> 
  --tdwbhostname <wauser ip address> 
  --tdwbport <master port>
  --work_dir /tmp
```
For more information, see Certificates download to dynamic agents and fault-tolerant agents - AgentCertificateDownloader script.