How to Renew Demo Identity Certificate thats Expired for DemoIdentity in Weblogic


DemoIdentity identity certificate expired and getting the following error in the logs:

 <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the kss keystore file kss://system/demoidentity.>
<Alert> <Security> <BEA-090154> <Identity certificate has expired:


1. Login to EM console.

2. Navigate to <domain name> [ eg :- base_domain ]

3. Click on the drop down Weblogic Domain -> Security -> Keystore

4. Expand the system folder.

5. Select the demoidentity -> click Manage

6. It will prompt for password , enter the password DemoIdentityKeyStorePassPhrase

7. It will open the Manage Certificates option.

8. Select the existing 'DemoIdentity' certificate which is expired -> Select Delete.

(NOTE: You need to click the refresh button on the top right to see the changes)

9. It will ask to enter password -> Enter the password as : DemoIdentityPassPhrase

10. Click on Generate Keypair.

11. Provide the same information as before.

Alias name: DemoIdentity
Subject Name: DemoCertFor_base_domain
Password: DemoIdentityPassPhrase

12. You can see that a self signed certificate is created.

Now we need to sync the KSS store information to the local keystores.xml file located under the $DOMAIN_HOME/config/fmwconfig/

Note: It is suggested to have a backup of your domain before making any changes to the domain, but it is not required.

1. Navigate to $ORACLE_HOME/oracle_common/common/bin

2. Launch the, and run syncKeyStores command to sync system KSS keystore

Example below:

bash$ ./

Initializing WebLogic Scripting Tool (WLST) ...
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands

wls:/offline> connect()
Please enter your username :<username>
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://<admin hostname>:<admin port>
t3://<admin hostname>:<admin port>
Connecting to t3://<admin hostname>:<admin port> with userid <username> ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "base_domain".

Warning: An insecure protocol was used to connect to the server.
To ensure on-the-wire security, the SSL port or Admin port should be used instead.

wls:/base_domain/serverConfig/> syncKeyStores(appStripe='system', keystoreFormat='KSS')
Location changed to domainRuntime tree. This is a read-only tree
with DomainMBean as the root MBean.

Keystore sync successful.

3. Restart the admin server followed by managed server(s).

NOTE: If you have multiple nodes you'll also need to run the WLST steps to sync keystores.xml on each remote host.

Before starting the nodemanager on a remote host, start a managed server manually to synchronize with $DOMAIN_HOME including keystores.xml of the adminserver.


4. Verify the error is logs and SSL services should be running.

Please do like and subscribe to my youtube channel: If you like this post please follow,share and comment