BACKGROUND
There is a bug in engine-config that existed since beginning of time, it does not take the CABaseDirectory into account.
However, both the setup and the upgrade set full path for all pki artifacts, this is why this bug has been never discovered.
DESCRIPTION
The database upgrade script puts two values per default, these are relative:
select fn_db_update_config_value('keystoreUrl','keys/engine.p12','general');
select fn_db_update_config_value('TruststoreUrl','.truststore','general');
When system is upgraded from 3.1, after database upgrade the engine-upgrade script will convert keys to PKCS#12 format, and overwrite database settings.
However, if you upgrade from 3.2 to 3.2, then the engine-upgrade script does not overwrite the setting, leaving relative paths.
WORKAROUND
Modify keystoreUrl and truststoreUrl within database to absolute paths.