PingAuthorize

Replacing the certificate associated with the original key pair

Replace the certificate associated with the original server-generated private key (server-cert) if it has expired or must be replaced with a certificate from a different certificate authority (CA).

About this task

Perform the following steps to replace the certificate associated with the original key pair:

Steps

  1. Create a CSR file for the server-cert.

    Example:

    manage-certificates generate-certificate-signing-request \
      --keystore keystore \
      --keystore-type JKS \
      --keystore-password-file keystore.pin \
      --alias server-cert \
      --use-existing-key-pair \
      --subject-dn "CN=ldap.example.com,O=Example Corporation,C=US" \
      --output-file server-cert.csr
  2. Submit server-cert.csr to a CA for signing.

  3. Export the server’s private key into server-cert.key.

    Example:

    manage-certificates export-private-key \
      --keystore keystore \
      --keystore-password-file keystore.pin \
      --alias server-cert \
      --output-file server-cert.key
  4. Import the certificates obtained from the CA, including the CA-signed server certificate, the root CA certificate, and any intermediate certificates, into keystore.new.

    Example:

    manage-certificates import-certificate \
      --keystore keystore.new \
      --keystore-type JKS \
      --keystore-password-file keystore.pin \
      --alias server-cert \
      --private-key-file server-cert.key \
      --certificate-file server-cert.crt \
      --certificate-file intermediate.crt \
      --certificate-file root-ca.crt