--- title: Replacing the server certificate description: Whether the server was set up with self-signed or certificate authority (CA)-signed certificates, the steps to replace the server certificate are nearly identical. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_replace_server_certs canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_replace_server_certs.html revdate: July 29, 2022 section_ids: about-this-task: About this task steps: Steps result: Result: next-steps: Next steps --- # Replacing the server certificate Whether the server was set up with self-signed or certificate authority (CA)-signed certificates, the steps to replace the server certificate are nearly identical. ## About this task This task makes the following assumptions: * You are replacing the self-signed server certificate. * The certificate alias is `server-cert`. * The private key is stored in `keystore`. * The trusted certificates are stored in `truststore`. * The `keystore` and `truststore` use the Java KeyStore (JKS) format. If a PKCS#12 keystore format was used for the `keystore` and `truststore` files during setup, change the `--keystore-type` argument in the `manage-certificate` commands to `PKCS12` in the relevant steps. While the certificate is being replaced, existing secure connections continue to work. If you restart the server, or if a topology change requires a reset of peer connections, the server continues authenticating with its peers, all of whom trust the new certificate. To replace the server certificate with no downtime, perform the following steps: ## Steps 1. Prepare a new keystore with the replacement key pair. 2. Import the earlier trusted certificates into the new `truststore` file. 3. Update the server configuration to use the new certificate by adding it to the server's list of listener certificates in the topology registry. ### Result: Other servers will trust the certificate. 4. Replace the server's `keystore` and `truststore` files with the new ones. 5. Retire the previous certificate by removing it from the topology registry. ## Next steps The following sections describe these tasks in more detail.