Need some clarity on keytool command while installing certificates

Hi All,

To install SSL Certificate for any partner we are following below process:

1.Copying certificate to …/cer location
2. Running keytool command which is copying certificate to truststore loc.
3. Refreshing keystore & TrustStore.

What is happening when we are running keytool command –
Is it updating truststore.jks file ?
Any additional things does it do ?

And let us say i have some old certificate and now i got the new certificate. I followed the above process and installed the certificate. How IS identified which certificate to use as it has old copies and new copy of certificate …

Thanks for your help in Advance

Thanks,
RP

You need to refresh all the folders with the new cert name to use and also make sure you restart the IS to refresh the cache.

HTH,
RMG

Which version of WM are you using?
If newer ones that’s using jks file as truststore, you need to edit the jks file (Keystore Explorer is a great free tool).
If client only updated the server cert, not the root and intermediate CA, you normally don’t need to change anything in the Trust Store, since they should be there already.
If the client is using the cert for HTTPS authentication, you need load it as client cert (using Admin UI pages), and map it to a user. co-existence of both old and new as client cert won’t be an issue.

Hello,

I am using wm8.2 version. After installing the certificate, we are just refreshing TrustStore & KeyStore after which IS is taking changes. We are not restarting IS after this activity.\

Thanks,
RP

You should try restart IS also to fully refresh apart from the tong wang comments if you are on the same page could resolve your issue.

HTH,
RMG

you just need to reload the truststore, and click on “Clear SSL Cache”. No need of IS restart.
Is there any issue still?

It’s working fine, but i just want to understand, after using keytool command what exactly happening which is updating key store and how IS comes to know which certificate has to use as multiple certificates( older and the newer) exist for the same partner.

Thanks,
RP