Zero Downtime: Replacing Default 1K Certs with 4K Power

For enterprise operations, security is non-negotiable. If you’re running Workload Automation with older, default 1024-bit certificates, you’re sitting on a major vulnerability. These keys are aging, slow, and no longer meet modern security benchmarks. The challenge? Replacing them without breaking communication across your entire dynamic agent network and enduring costly downtime.
Fortunately, WA version 10.2.5 introduced the tools and features to make this critical security upgrade surprisingly simple, guaranteed, and seamless. Let's dive into the six rapid steps to replace your default 1K certificates with robust, 4K keys using the powerful Certman tool.

Prerequisite: Upgrade the MDM to v10.2.5This guide relies entirely on the enhanced certificate management capabilities introduced in Workload Automation version 10.2.5. If you haven't upgraded yet, please do so now. This foundational step is essential for utilizing the automated features of Certman.

Step 1: Generate Your Secure Certificates with Certman. 
You need a new set of robust certificates (CA, private key, and server certificate), ideally with at least a 4096-bit key. 

• If you already have custom PEM certificates, ensure you have: ca.crt, tls.key, tls.crt, and tls.sth (if the private key is password-protected).
• If you need to generate new, secure certificates, Certman handles it instantly.

From your Master Domain Manager (MDM) machine, set your environment and run:
certman generate -keypasswd strongPasword -outpath /tmp/newCerts

Step 2: Trust the New CA on the Server 
​To prepare the server to recognize the new certificates, we must trust the newly generated Certificate Authority (CA).

1. Copy the generated ca.crt file into the server's repository:
   <data_dir>/ssl/depot/additionalCAs/
2. If the additionalCAs folder doesn't exist under depot, create it first.
3. Rename the file to something descriptive, like newCA.crt. This name will automatically be used as the alias when the server reads the new CA.

Step 3: Proactively Trust the New CA on Dynamic Agents
​This is the zero-downtime secret. Before we replace the server's certificate, we push the new CA to the dynamic agents so they are ready for the change. This ensures they maintain communication throughout the process.
Run the AgentCertificateDownloader command on every dynamic agent:
AgentCertificateDownloader --wauser <wauser> --wapassword <wauserPwd> --tdwbhostname <server_ip> --tdwbport 31116 --work_dir <work_dir>

Step 4: Import and Replace the Server Certificate
Now that the dynamic agents trust the new CA, we can safely replace the certificate used by the server's Liberty component. We use Certman again for a flawless swap.
Run this command on the MDM:
certman import -inpath <newCertsPath> -all -keypasswd <strongPasword> -alias server -updatedepot -forcealias

Zero Downtime Check: After running this, notice that your dynamic agents continue communicating with the server because they already trust the new CA (from Step 3)! Only the MDM's client connection and Composer will temporarily lose connectivity.

Step 5: Update the Master Agent's Client Certificate
The Master Domain Manager (MDM) has its own local agent that also needs to trust the new CA. We simply re-run the AgentCertificateDownloader locally.
Run the exact same command from Step 3, but on the MDM machine itself:AgentCertificateDownloader --wauser <wauser> --wapassword <wauserPwd> --tdwbhostname <server_ip> --tdwbport 31116 --work_dir <work_dir>
This updates the MDM's local agent client configuration, restoring its full communication with its own server component.
Step 6: Connect the DWC to the Secure Engine
The final step is to ensure your Dynamic Workload Console (DWC) trusts the new server certificate so you can log in without certificate errors.
From the DWC machine, use Certman to import the new server certificate directly from the engine URL:
./certman import -url <waserverIP:waserverPort> -storepasswd <dwcStorePassword>

Your DWC will now successfully connect to the newly secured HWA engine!

Conclusion: Security Solved, Productivity Restored
You successfully replaced insecure 1K default certificates with robust, modern 4K keys across your entire HWA environment. By strategically updating your agents first, you achieved this critical security upgrade with zero interruption to your running schedules. This power is what modern enterprise automation is all about: simplicity, security, and guaranteed continuity.

Step 4 and 5 can be applied for updating the certificates on BKM too. 
Time to leverage your secure, optimized HWA environment!

---

Pasquale Peluso, Workload Automation Dev & ID Manager
Pasquale is a Manager with  6 plus years of experience within the HCL Software Workload Automation portfolio. Currently leading the Backend Development and Information Development (ID) teams, he possesses a full-stack understanding of the product for both standard installation and Containerized deployments. Pasquale has been on the front lines,  promoting and showcasing the crucial innovations accompanying Workload Automation, starting with the release of version 9.5 and beyond. His insights bridge the technical                                                                  complexities of development with clear, user-focused product strategy.

---