Updating the server configuration to use the new certificate

Before updating the server to use the appropriate key pair, update the listener-certificate property for the server instance’s LDAP listener in the topology registry.

About this task

To support the transition from an existing certificate to a new one, earlier and newer certificates might appear within their own beginning and ending headers in the listener-certificate property.

To update the server configuration to use the new certificate, perform the following steps:

Steps

Export the server’s previous server-cert into old-server-cert.crt.

manage-certificates export-certificate \
  --keystore keystore \
  --keystore-password-file keystore.pin \
  --alias server-cert \
  --output-file old-server-cert.crt

Concatenate the previous and new certificate into one file.
On Windows, use a text editor like Notepad. On Unix, use the following command.
cat old-server-cert.crt new-server-cert.crt > old-new-server-cert.crt

Use dsconfig to update the listener-certificate property for the server instance’s LDAP listener in the topology registry.

$ bin/dsconfig -n set-server-instance-listener-prop \
  --instance-name <instance-name> \
  --listener-name ldap-listener-mirrored-config \
  --set "listener-certificate<old-new-server-cert.crt"