DPR-ERR-2109 : certificate has expired

Product:
Cognos Analytics 11.0.13
Microsoft Windows 2016 server

Problem:
After change of custom certificate on IIS and in CA11 dispatcher level, in file CAMkeystore. The https://caservername.domain.com:9300/p2pd/servlet/dispatch still show wrong certificate.
When you examine the camkeystore.jks file with ikeyman.exe you find that the root certificate is used instead of the server certificate.

Possible solution:
When using custom certificate for SSL (TLS) communication on port 9300, you need to only add this certificate to the CAMkeystore file.
First you set HTTPS in cognos configuration, then when you press save inside Cognos Configuration for CA11, the keystores files are created.
For example IBM Cognos Configuration > Security > Cryptography > Cognos > Certificate lifetime in days. This value will set the cognos server certificate (encryption) in the keystore to last this long. The internal CA certificate is created to last a year longer.
After the cognos keystore files are created, you can add the custom certificates to the file with ikeyman.exe.

You must add the certificate in correct order:
Root – first
Intermediate – second
Server Cert – last

Make a backup of the C:\Program Files\ibm\cognos\analytics\configuration\certs folder before you start.

Go to C:\Program Files\ibm\cognos\analytics\jre\bin
Launch ikeyman.exe as administrator ( by right click and select run as administrator)
Open the following file C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMkeystore
Type: PKCS12
File name:CAMKeystore
Location:  C:\Program Files\ibm\cognos\analytics\configuration\certs
Password: NoPassWordSet (default)

Select Signer Certificates from the drop down list.
Click on Add.
Import your root.cer first.
Then import your intermediate.cer second.
Then go back to Personal Certificates from the drop down list.
Mark encryption, and click on Rename. Change the name to old-encryption.
Click on Import button. Select Import key.

Select you certificate file with your server certificate, that contain the DNS alias for your server.
Enter your password when you import the file.
Set the name of the server cert to encryption.
Exit/Close the ikeyman program. Any changes are saved directly to the CAMkeystore file.

Now go into Cognos Configuration and click save. Then start the Cognos service from inside Cognos Configuration. Now the file CAMkeystore.jks is created/update with the custom certificates.
Test to browse to the https://caservername.domain.com:9300/bi/v1/disp

You may need to also add the custom certificate to other places, depending on you system setup.

(Internal CA)
It is Cognos specific certificate authority.  You can check the content with ikeyman tool.

View ‘ca’ certificate under Personal Certificates.  Double click to see the values of the certificate.
When ‘encryption’ certificate is expired, you cannot log in to Cognos Analytics.

If you use PA, you need to add the Planning Analytics certificate to the CA11 key store.
https://www.ibm.com/support/pages/configure-datasource-ibm-planning-analytics-20x-ibm-cognos-analytics-1106

More information:

https://www.ibm.com/support/pages/node/561949

https://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_cryptoprvdrdflt.html