Manage Sentinel keystore updates

The Sentinel keystore CA is used for communication between the following entities:

  • Central Governance and Sentinel via SSO
  • Transfer CFT and Sentinel
  • SecureTransport and Sentinel

If the Sentinel keystore changes, you must update it on Central Governance. If the Sentinel keystore is a chain certificate, Central Governance requires the root CA. In the cgcmd configure UI, you must update Central Governance by selecting the Sentinel keystore root CA from the Sentinel truststore.


  1. Stop Central Governance.
  2. Run the cgcmd configure command:
    • Set Use Governance CA for Front end SSL to No.
    • Truststore: Upload the new Sentinel truststore.jks.
    • Certificate alias: Enter the alias of the Sentinel keystore root CA that to import into Central Governance.
  1. You must also update the Sentinel keystore root on (each) Transfer CFT and SecureTransport.
  • After uploading a new Sentinel keystore root CA, the certificate is in the Transfer CFT's configuration on Central Governance. Use REST API to automatically deploy this to Transfer CFT.
  • Manually update the new Sentinel keystore root CA on SecureTransport.


Central Governance | Document Directory

Related Links