The below steps are for an ML Cluster on Docker+Swarm and should be modified as per the environment.

This article provides inputs on updating/changing certificate/keystore for an existing ML instance. Client <--HTTPS--> Mashery.

All Supported Platforms

#1way SSL(no ClientAuthentication)
Option-1
> Follow the steps here to build the keystore(either from PKCS12 or using Key/Certificate)
https://docs.tibco.com/pub/mash-local/5.3.0/doc/html/GUID-99A4161B-72E7-4563-9606-5EC89A32024A.html

> Get it from the location(as documented) it is created in.

> Redeploy the TM Container, after updating the manifest folder: with new keystore and its password in tml_tm_properties.json

Option-2(without using Jenkins)
> Get the new keystore, with the new keypair, in a JKS format
> Rename it to tml-tm.jks(the default keystore used by TM)
> Place the new 'tml-tm.jks' in the manifest folder used to create the cluster
> Update the keystore password in tml_tm_properties.json
(please make sure the store-password and alias/entry password are the same)
> Run the ./undeploy-tm-pod.sh
> Then Run ./deploy-tm-pod.sh

#MutualSSL(with ClientAuthentication)
Besides the keystore(tml-tm.jks), the Truststore should also be updated and configured to enable MutualSSL. Please follow the below steps:
1) Follow the doc steps to generate the tml-tm-trust.jks
https://docs.tibco.com/pub/mash-local/5.3.1/doc/html/GUID-B40A3E66-FD72-4FBA-8227-2E39305D47BB.html
(or you can create one, with all necessary public certificates, with the same name: tml-tm-trust.jks)

2) Update the below properties, as documented, in tml_tm_properties.json:
"tm_truststore_password": "password",
"need_client_auth": true,

3) Undeploy and redeploy the TM pod.

Note:
These steps are redeploying the TM container/pod with only a change in the certificates.
> As TM container/pod is stateless, recreating/redeploying should be fine
> If there is only one TM in the cluster, please plan for downtime