After upgrading, a custom browser keystore <certname>.jks was not migrated. 

Browser certificate previously imported into <custom keystore name>.jks

If, when a browser certificate is made and imported into a keystore named anything other than .keystore, the new keystore will not be migrated, as only .keystore is migrated. 

• While it can be made to work, changing the keystore name to import your browser certificate is not supported. 
  
  

Solution 1:

Manually move your custom browser keystore and restart services.

Solution 2(recommended):

• Relocate the existing .keystore file typically located in ../tomcat/conf/ 
• Manually move the keystore from the previous installation to /tomcat/conf
• Rename the newly moved keystore to .keystore
• Correct Protect.properties to point to this keystore
• This will prevent future upgrades from failing at this step. 

Documented instructions to keep .keystore file named as .keystore. 

Generating a unique browser certificate

"

• The -keystore parameter specifies the name and location of the keystore file which must be 
  .keystore located in this directory. This is specified by using 
  -keystore .keystore"