WSO2 API Manager Migration: Fixing the “Certificate Does Not Exist in the Trust Store” Error
Hi everyone! ❤️
I hope everyone is doing well and staying safe!
After a while, I decided to write a small tech story about WSO2 API Manager (APIM) product migration. If you’re new to WSO2 product version migration, this article will help you understand the process.
Recently, while migrating WSO2 APIM from version 3.2.0 to 4.2.0, I encountered the following error during the APIM data migration:
ERROR — V400DBDataMigrator WSO2 API-M Migration Task : Error while retrieving endpoint certificate for alias: <Alias_Name>. The certificate does not exist in the trust store.
This error is related to API endpoint certificates, and in this article, we’ll explore why it occurs and how to fix it.
Understanding the Error
Starting from APIM 4.0.0, a new column called CERTIFICATE was introduced in this table. The column’s data is populated during the Endpoint Certificate Migration step.
Here’s how the migration client processes the endpoint certificates:
- Retrieves all endpoint certificate aliases from the
AM_CERTIFICATE_METADATAtable. - Verifies whether each alias exists in the
client-truststore.jksfile of the target product. - If the certificate is not found, the migration client logs the following error:
ERROR — V400DBDataMigrator WSO2 API-M Migration Task : Error while retrieving endpoint certificate for alias: <Alias_Name>. The certificate does not exist in the trust store.
4. If the certificate is found, the client logs:
INFO — V400DBDataMigrator WSO2 API-M Migration Task : Adding encoded certificate content of alias: <Alias_Name> to DB
5. According to the migration client code, if at least one endpoint certificate is missing during the alias and certificate verification process, the endpoint certificate data migration to the database will be halted, and the following stack trace will be thrown:
ERROR — APIMMigrationClient WSO2 API-M Migration Task : API Migration exception occurred while migrating
org.wso2.carbon.apimgt.migration.APIMigrationException: WSO2 API-M Migration Task : Error while executing migration from API-Manager 3.2.0.
at org.wso2.carbon.apimgt.migration.APIMMigrationClient.executeMigration(APIMMigrationClient.java:92) ~[org.wso2.carbon.apimgt.migrate.client-4.2.0.42.jar:?]
:
Caused by: org.wso2.carbon.apimgt.migration.APIMigrationException: WSO2 API-M Migration Task : Error/s occurred while Migrating Endpoint Certificates
As a result, the entire migration process stops, preventing further steps from executing.
How to Fix the Issue
Let’s see how we can fix them if you observe such an error during your WSO2 APIM product migration.
The error occurs because some endpoint certificates listed in AM_CERTIFICATE_METADATA do not exist in client-truststore.jks.
To resolve this, you can follow two approaches:
Option 1: Reimport the Missing Endpoint Certificates
- Identify the alias value from the error log and check the database:
SELECT * FROM AM_CERTIFICATE_METADATA WHERE ALIAS = ‘myEndpoint’;2.Find the API using the endpoint associated with this alias.
3.Delete the record for this alias from the AM_CERTIFICATE_METADATA table in the source database (APIM 3.2.0):
DELETE FROM AM_CERTIFICATE_METADATA WHERE ALIAS = ‘myEndpoint’;4. Log into the WSO2 Publisher UI of Source version, edit the API, and re-import the endpoint certificate. This will update both the database and the client-truststore.jks file same time.
5. Export the updated database and restore it to the new database for the target APIM version (4.2.0).
6. Copy the updated client-truststore.jks file to the target APIM server and re-run the data migration.
Option 2: Remove Missing Certificates and Import Later
- Identify the missing endpoint certificates using the migration error logs.
2. Remove each missing certificate from the AM_CERTIFICATE_METADATA table on the source DB:
DELETE FROM AM_CERTIFICATE_METADATA WHERE ALIAS = ‘myEndpoint’;3. Restore the database to its original state and re-run the migration.
- Important: After migration, manually import the missing endpoint certificates via the WSO2 Publisher UI to prevent issues with API invocation.
Key Takeaways:
✅ Ensure that all required endpoint certificates exist in client-truststore.jks before migration.
✅ If a certificate is missing, either reimport it before migration (Option 1) or remove it and import later (Option 2).
✅ Always perform pre-migration validation to avoid unexpected migration failures.
I hope this article helps you navigate WSO2 APIM migrations more smoothly! If you found this helpful, feel free to clap and comment with your thoughts. 🚀
Bye for now! 😊 Looking forward to meeting again soon in the next blog! 🚀✨
