You can update certificates following a change of listener address, for example by setting an explicit listener address in WebLogic console to replace the default (blank).
The ssl.sh scan command shows errors due to incorrect certificate common names. Connections to servers whose certificates do not match their listening addresses will be rejected.
Assumptions:
You run commands from the master host.
This is an offline operation.
To update the certificates after changing listening addresses:
Post conditions
The domain now runs with SSL, and uses the new certificates. The new certificates have the same expiry as existing certificates. The certificates are signed by the existing internal certificate authority so previously exported client trust remains valid.
You can run the ssl.sh expiry command to list the new certificates with the new expiry date.