Replacing the certificate associated with the original key pair
Replace the certificate associated with the original server-generated private key (server-cert
) if it has expired or must be replaced with a certificate from a different certificate authority (CA).
About this task
Perform the following steps to replace the certificate associated with the original key pair:
Steps
-
Create a CSR file for the
server-cert
.Example:
manage-certificates generate-certificate-signing-request \ --keystore keystore \ --keystore-type JKS \ --keystore-password-file keystore.pin \ --alias server-cert \ --use-existing-key-pair \ --subject-dn "CN=ldap.example.com,O=Example Corporation,C=US" \ --output-file server-cert.csr
-
Submit
server-cert.csr
to a CA for signing. -
Export the server’s private key into
server-cert.key
.Example:
manage-certificates export-private-key \ --keystore keystore \ --keystore-password-file keystore.pin \ --alias server-cert \ --output-file server-cert.key
-
Import the certificates obtained from the CA, including the CA-signed server certificate, the root CA certificate, and any intermediate certificates, into
keystore.new
.Example:
manage-certificates import-certificate \ --keystore keystore.new \ --keystore-type JKS \ --keystore-password-file keystore.pin \ --alias server-cert \ --private-key-file server-cert.key \ --certificate-file server-cert.crt \ --certificate-file intermediate.crt \ --certificate-file root-ca.crt