Replacing the Certificates

Certificate replacement allows replacement of all certificates by new ones.

You may want to do this because:

• The existing certificates have expired, or are about to expire.

  Both server certificates and CA (trust) certificates have defined lifespans. Once they expire connections using those certificates will no longer work.

• Your organization has a policy requiring a different certificate expiry from the default provided by the BI configuration assistant.

• The security of the existing certificates and keys has been compromised.

Assumptions:

• You run commands from the master host.

• This is an offline operation.

1. Replace internal BIEE or client certificates.

   When you use the regenerate command, it invalidates existing client certificates so you must re-export them.

   ./ssl.sh regenerate
   ./ssl.sh exportclientcerts mydir
   

2. Restart the domain using:

   ./start.sh
   

3. Check WebLogic certificates and corresponding trust are correctly configured using:

   ./ssl.sh report
   

Post conditions

The domain now runs with SSL, and uses the new certificates. Servers will not connect to a WebLogic instance using the old trust.

You can run the ssl.sh expiry command to list the new certificates with the new expiry date.