Updating SSL certificates in AEM 6.5: truststore and keystore reset

Last update: Fri Feb 06 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

When an SSL certificate expires on an AEM 6.5 publish instance, the system can show an invalid keystore password error if old credentials are missing. Resetting the truststore and keystore and then updating the SSL certificate resolves the issue and restores secure connections.

Description description

Environment

Adobe Experience Manager (AEM 6.5) AMS or On-Premise

Issue/Symptoms

Attempts to update the expired SSL certificate result in an invalid keystore password error.
The old truststore is unavailable, preventing standard update procedures.

Resolution resolution

Note: It’s recommended to test these steps in a development or lower environment before applying them in production to avoid service disruption.

To resolve the issue, follow these steps:

Open CRX/DE as an admin user.
Delete the node associated with the truststore by removing /etc/truststore/truststore.p12.
Save all changes in CRX/DE.
Delete the keystore node for the SSL service at /home/users/system/security/ssl-service/keystore to reset the keystore.
Recreate both the truststore and keystore.
Update the new SSL certificate in both stores as needed.
Verify that SSL connections function correctly without password errors.

SSL/TLS By Default in AEM 6.5

recommendation-more-help

3d58f420-19b5-47a0-a122-5c9dab55ec7f

Updating SSL certificates in AEM 6.5: truststore and keystore reset

Description description

Environment

Issue/Symptoms

Resolution resolution

Related reading