I've had this happen before, but can't remember what the "fix" was.

It seems that there's a bug in the Admin Console from way back where if you imported a PFX certificate, and then assigned that to the various keystores, that it would assign some (usually the NIDP Signing and Encryption ones) as the alias:

signing
encryption

And, then as a result, when the cert expires, and you get new ones, it won't replace the cert in those keystores (it's grayed out).

I vaguely recall that there was some manual way to mess with the certs and whack 'em and that the underlying cause was due to the alias, which the GUI doesn't let you specify when assigning the cert to the keystores.

But I know that there was a way to whack 'em.

Any ideas?