At MCX, certificate management is largely automated. This is no luxury. The validity period of certificates used to secure URLs is becoming much shorter: currently six months, soon three months (in 2027), and eventually as short as 47 days in 2029. Without automation, renewing them—multiplied by all customer URLs—would become a nearly full-time operation.
We support various scenarios. For example, a customer can authorize MCX to request certificates for specific URLs, use URLs managed by MCX, provide certificates themselves, or have us generate a Certificate Signing Request (CSR) and return it signed.
Once a certificate is available through one of these methods, we place it in a predetermined location on the customer’s server. From there, automation takes over. Depending on the situation, up to three updates may be required: a certificate bundle for front-end security on the load balancer, an update to the keystore within the WebLogic domain, and an update to the certificate data in the PeopleSoft database.
The script begins by analyzing the provided certificate. We verify that all necessary components are present: the private key, the leaf certificate, and any intermediate and root certificates. These components are then separated: the key for secure communication, the URL-specific leaf certificate and the certificates that together form the trust chain leading to the Certificate Authority.
Based on this, the script compiles the correct certificate file for the load balancer. At the same time, it generates the necessary commands to deploy the certificate and restart the associated processes.
The script then turns its attention to WebLogic. It identifies the correct domain, retrieves the existing keystore and first creates a backup. The existing certificates are then validated, and the keystore is rebuilt using the new key and the leaf certificate. In doing so, we take multiple aliases into account: valid certificates are retained, whilst expired ones are removed. Finally, the script clearly outlines the steps required to restart the domain so that the new keystore becomes active.
If the certificate chain changes – for example, due to a different configuration or a new Certificate Authority – the root and intermediate certificates in PeopleSoft must also be updated. After all, PeopleSoft uses these to validate leaf certificates. Instead of doing this manually via the application, we automate this process using PeopleTools Automated Configuration Management. The script generates both the certificate file and the corresponding configuration file and provides the necessary execution commands.
The script can be used flexibly for ad hoc scenarios. It can accept a certificate file or a URL as input, retrieve the certificate if necessary, and place it directly into the appropriate keystore on the web server or domain.
In addition, we can automatically identify most of the URLs used within a PeopleSoft environment. This list can optionally be expanded via an input file. For each URL, the script determines the expiry date – including warnings when fewer than 30 days remain – and flags any changes to the certificate or the trust chain compared to previous checks. We also verify whether the WebLogic keystore can still validate the relevant URL correctly.
This approach enables us to maintain control over an increasingly dynamic certificate landscape. We identify anomalies at an early stage, prevent surprises and ensure that the environment remains secure and available, without management becoming a full-time job.
