search cancel

Can old and new WSS SSL inspection root certificate co-exist?


Article ID: 220895


Updated On:


Web Security Service - WSS


Due to the expiration of the certificate for SSL inspection (Cloud Services Root CA certificate) of the WSS product, we are deploying the new WSS agent 7.2.1 which also installs the new certificate.

We noticed that after the installation of the new agent, there are two certificates (the old one expiring and the new one) in the machine's certificate store.

Can you confirm that the presence of the two certificates cannot create any kind of impact after the expiration of the first one?



SSL inspection enabled

WSS Agent

SEP Agent

All user agents accessing WSS 


Both the old and new WSS SSL root certificates can co-exist together.

As a best practice, it is recommended that any old, expired certificates of any kind be removed from the SSL root and intermediate trust store on the host machine. 

Additional Information

WSS SSL interception root certificate update required