We are unable to replace the default, self-signed Apache certs for port 443 in /opt/CA/VirtualAppliance/custom/apache-ssl-certificates/.  By default the localhost.key and localhost.crt files are owned by config and belong to the apache group.  Overwriting the cert and key files switches the apache group to config group and removes apache's privileges. 

Additionally, the config user is not allowed to run /bin/chgrp to change the group to apache even though it owns the crt and key files.

Release : 14.4

Component : IdentitySuite (Identity Suite)

The issue was caused by using the 'mv' command rather than the 'cp' command.

Copy the new cert to:

/opt/CA/VirtualAppliance/custom/apache-ssl-certificates

Suggested Naming Convention:
localhost.crt.newcert
localhost.key.newkey

Navigate to:

/opt/CA/VirtualAppliance/custom/apache-ssl-certificates

Backup the old certs:
run ' cp localhost.crt localhost.crt.backup'     (config/config)
run ' cp localhost.key localhost.key.backup'  (config/config)

Update the current certs to the new one:
run ' cp localhost.crt.newcert localhost.crt'    (config/apache)
run ' cp localhost.key.newkey localhost.key' (config/apache)