Renew Certificate in Oracle Enterprise Cloud Control OMS Manager Console

Environment: - Oracle Enterprise Manager Cloud Control 13.4 - OMS console with third party certificate - Secured My situation is the following: 1. I am new in this client and apparently the former DBA added a third party certificate in the OMS console, which is near to expire. 2. I've been reading the documentation but I can't find the keystore or the wallet associated to this certificate. So far, I checked the following [oracle@hcbae2p01ora022 bin]$ $OMS_HOME/bin/emctl status oms -details Oracle Enterprise Manager Cloud Control 13c Release 4 Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved. Enter Enterprise Manager Root (SYSMAN) Password : Console Server Host : hcbae2p01ora022.hcbe.corp HTTP Console Port : 7788 HTTPS Console Port : 7803 HTTP Upload Port : 4889 HTTPS Upload Port : 4903 EM Instance Home : /u01/app/oracle_em/gc_inst/em/EMGC_OMS1 OMS Log Directory Location : /u01/app/oracle_em/gc_inst/em/EMGC_OMS1/sysman/log OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1 Console URL: https://hcbae2p01ora022.hcbe.corp:7803/em Upload URL: https://hcbae2p01ora022.hcbe.corp:4903/empbs/upload WLS Domain Information Domain Name : GCDomain Admin Server Host : hcbae2p01ora022.hcbe.corp Admin Server HTTPS Port: 7102 Admin Server is RUNNING Oracle Management Server Information Managed Server Instance Name: EMGC_OMS1 Oracle Management Server Instance Host: hcbae2p01ora022.hcbe.corp WebTier is Up Oracle Management Server is Up JVMD Engine is Up BI Publisher Server Information BI Publisher Managed Server Name: BIP BI Publisher Server is Up BI Publisher HTTP Managed Server Port : 9701 BI Publisher HTTPS Managed Server Port : 9803 BI Publisher HTTP OHS Port : 9788 BI Publisher HTTPS OHS Port : 9851 BI Publisher is locked. BI Publisher Server named 'BIP' running at URL: https://hcbae2p01ora022.hcbe.corp:9851/xmlpserver/servlet/home BI Publisher Server Logs: /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/ BI Publisher Log : /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/bipublisher/bipublisher.log As you can see for the information above, the console is secured in port 7803. I thought that the certificates should be stored in a wallet, but I can't find the wallet anywhere. I neither was able to find any command in emctl or in emcli that can show me where this certificate is stored. What I know is that the certificate is there, as I used the secdiag option of emctl [oracle@hcbae2p01ora022 bin]$ $OMS_HOME/bin/emctl secdiag openurl -url https://hcbae2p01ora022.hcbe.corp:7803/em Oracle Enterprise Manager Cloud Control 13c Release 4 Copyright (c) 1996, 2020 Oracle Corporation. All rights reserved. Log file: /tmp/OpenPage_2023_02_21_13_45_115472876152891123503.log Opening page: https://hcbae2p01ora022.hcbe.corp:7803/em Using non-validating trust manager; all certificates will be blindly accepted. Proxy server is not set Using protocol: TLSv1 Negotiated protocol: TLSv1 Getting the certificate chain Details of cert# 1 in chain: Subject: EMAILADDRESS=xxxxxxx, CN=hcbae2p01ora022.hcbe.corp, OU=xxxxxxx, O=xxxxxxxxxx, L=xxxxxxxxxxxxxx, ST=xxxxxxxx, C=xx Issuer: CN=XXXXX CA, DC=cloud, DC=corp Valid from: Tue Mar 23 13:54:18 UTC 2021 Valid till: Thu Mar 23 13:54:18 UTC 2023 Serial#: 914345119400343461451536535824392411922746991 Public key: Sun RSA public key, 2048 bits modulus: 231855705770066152570314131577369954637603242446759578989206803754751294824351565914129743732110994827544588460966543883605976172129693569117661509357921588815183478850378089638600314229871995314771805178017341640817875936605315833364302707372595554647453833532393376815757155001416722179412428142624866504902792330046510191621551136336433918248638504659645288726326144907300691458403587891238454297424723893811783631933359920866785373444400398845738032568684675766778615996191586165668755883030522959798859689120112193205210100146390085495955132802650583693008692078856106184239283369895227655357520072938286 public exponent: 65537 Signature algorithm: SHA256withRSA Following headers are present in the response: Date : Tue, 21 Feb 2023 13:45:12 GMT Vary : Accept-Encoding Adf-Context-Id : fd3875f9-7da2-4e9a-bbe1-cdbc60ba6af8-00000002 X-Frame-Options : sameorigin X-ORCL-EMOA : true X-ORACLE-DMS-RID : 0:3:1 X-Content-Type-Options : nosniff, nosniff X-XSS-Protection : 1; mode=block, 1; mode=block X-ORACLE-DMS-ECID : fd3875f9-7da2-4e9a-bbe1-cdbc60ba6af8-00000002 Adf-View-Id : %2Flogon%2Fcore-uifwk-console-login Content-Type : text/html;charset=UTF-8 Cache-Control : no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Response saved at : /tmp/hcbae2p01ora022.hcbe.corp_7803_2023_02_21_13_45_134697786630783685089.html [oracle@hcbae2p01ora022 bin]$ As you can see above, the certificate that allows me to access by https to the OMS console is stored somehow in OMS. But I can't find where exactly. I have tried to check all wallets in the server, but I could not find anything. I'd like to know how can I update this certificate with a new one that I have already in my hands. Is there a way to identify whether this certificate was included using emctl secure createca ? if so, how can I update the certificate stored there ? **UPDATE** Thanks to @Balazs Papp, I was able to find the wallet used by the OMS Console [oracle@hcbae2p01ora022 console]$ pwd /u01/app/oracle_em/gc_inst/user_projects/domains/GCDomain/config/fmwconfig/components/OHS/instances/ohs1/keystores/console [oracle@hcbae2p01ora022 console]$ orapki wallet display -wallet pwd Oracle PKI Tool Release 19.0.0.0.0 - Production Version 19.4.0.0.0 Copyright (c) 2004, 2020, Oracle and/or its affiliates. All rights reserved. Requested Certificates: User Certificates: Subject: EMAIL=xxxxxxxxxxxxx,CN=hcbae2p01ora022.hcbe.corp,OU=xxxxxx,O=xxxxxx,L=xxxxxxxxx,ST=xxx,C=xx Trusted Certificates: [oracle@hcbae2p01ora022 console]$ What I don't get is why it does not appear as a Trusted certificate ? If I copy this wallet to a different location, then I can use orapki to import the new certificate into the wallet, and then use emctl secure console -wallet to renew the certificate ? I have read somewhere that if there is a change in the certificate, such as the email address, you have to do it from scratch. Is that so ?