When replacing an expiring SSL/TLS certificate in the keystore, the JCP (Java Communication Process) may detect and pick up the new certificate automatically. However, the REST process continues to use the old/expired certificate.

This can result in the following symptoms:

• AWI (Automic Web Interface) logs reporting that the certificate for the REST port (e.g., 8088) has expired.
• "Odd things happening" within the AWI interface due to failed REST communication.
• Errors such as U00045393 SSL Certificate invalid: The validity period of the certificate has expired or not yet reached appearing in logs after the old certificate's expiration date passes.

An openssl command like:

 openssl s_client -connect rest-process-url.example.com:8088 < /dev/null 2>/dev/null | openssl x509 -noout -dates -subject

Returns the old dates rather than the replaced dates

• Automic Automation 21.0, 24.x
• REST API has TLS/SSL enabled (sslenabled=1)

This behavior is by design. While the JCP is programmed to monitor the keystore and automatically refresh its certificate entry without a restart, the REST process does not currently share this functionality. The REST process initializes its SSL context during startup and does not re-examine the keystore for changes while running.

To apply a new or updated certificate to the REST process, a manual restart of the REST process is required.

1. Update the keystore with the new certificate (ensure the alias and password match the ucsrv.ini configuration).
2. Remove any old or expired certificates from the keystore to prevent conflicts.
3. Restart the REST process(es).
4. Verify the new certificate is being presented correctly (e.g., using openssl s_client -connect [Host]:[Port]).

Note: If you require the REST process to automatically pick up certificate changes without a restart in a future version, please submit a Request for Enhancement (RFE) via the Broadcom Support Portal.