When replacing an expiring SSL/TLS certificate in the keystore, the JCP (Java Communication Process) may detect and pick up the new certificate automatically. However, the REST process continues to use the old/expired certificate. This can result in the following:

• AWI Search Failures: Search functionality in the Automic Web Interface (AWI) no longer returns results because it relies on the REST API.
• AWI Logs: Reporting that the certificate for the REST port (e.g., 8088) has expired.
• Interface Issues: "Odd things happening" within the AWI interface due to failed REST communication.
• Error Messages:
  • U00045393 SSL Certificate invalid: The validity period of the certificate has expired or not yet reached
  • javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
  • Caused by: java.security.cert.CertificateExpiredException: NotAfter: [Date]

• Automic Automation 21.0, 24.x, 26.x
• REST API has TLS/SSL enabled (sslenabled=1)

This was determined to be a defect with the product -  DE186798.  In Automic Automation v21 and v24, the AWI search functionality and other services rely on the REST API. While normal JCPs are programmed to monitor the keystore and refresh certificate entries automatically, the REST process (JCP REST) does not currently share this functionality. It initializes its SSL context during startup and does not re-examine the keystore for changes while running.

This behavior is targeted to be fixed in a new release of 24.4 and 26.x Automation Engine. Please subscribe to this article (see How to subscribe to Knowledge Base articles) to be updated on the fix status.

Workaround

To apply a new or updated certificate to the REST process and restore functionality (including AWI search):

1. Update Keystore: Add the new certificate to the keystore (ensure the alias and password match the ucsrv.ini configuration).
2. Clean Up: Remove any old or expired certificates from the keystore to prevent conflicts.
3. Restart REST Process: Manually stop and restart the REST process(es) (identified as type REST in the Administration perspective).
4. Verification:
   • Use openssl s_client -connect [Host]:[Port] to verify the new certificate is being presented.
   • Log back into the AWI and confirm the search functionality is operational.