---
title: Replacing the inter-server certificate
description: During the installation process, the inter-server certificate is generated with a long lifespan and does not require replacement under normal circumstances. You should replace the inter-server certificate only if you suspect that its private key is compromised.
component: pingdirectory
version: 11.0
page_id: pingdirectory:managing_servers_and_certificates:pd_ds_replace_inter_server_certificate
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_servers_and_certificates/pd_ds_replace_inter_server_certificate.html
revdate: August 12, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Replacing the inter-server certificate

During the installation process, the inter-server certificate is generated with a long lifespan and does not require replacement under normal circumstances. You should replace the inter-server certificate only if you suspect that its private key is compromised.

## About this task

The inter-server certificate is intended for use only between server instances within the same topology. Because it is not exposed to regular clients, the inter-server certificate does not need to be trusted.

The `replace-certificate replace-inter-server-certificate` command performs the following steps:

* Acquires the new inter-server certificate from a provided Java KeyStore (JKS) or PKCS #12 key store

* Makes the necessary updates to the `config/ads-truststore` file in the server key store

* Updates the server instance configuration object to include the new inter-server certificate

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | To avoid the need to replace the inter-server certificate on a regular basis,use a self-signed certificate with a long lifespan. Each server instance must possess its own, unique inter-server certificate that satisfies the following conditions:* Uses an RSA key pair

* Has a minimum key size of 2048 bits

* Has a maximum key size of 3072 bitsThe following types of certificates are not allowed:* Certificates with an elliptic curve key pair

* Certificates with an RSA key that is smaller than 2048 bits

* Certificates with an RSA key that is larger than 3072 bits |

## Steps

* To replace the inter-server certificate, run the `replace-inter-server-certificate` subcommand of the `replace-certificate`.

  The `replace-inter-server-certificate` subcommand takes a subset of the arguments that are used with the `replace-listener-certificate` subcommand, including the following arguments:

  * `--source-key-store-file <path>`

  * `--source-key-store-password <password>`

  * `--source-key-store-password-file <path>`

  * `--source-certificate-alias <alias>`

  * `--source-private-key-password <password>`

  * `--source-private-key-password-file <path>`

  The following example illustrates what you see when you run `replace-certificate replace-inter-server-certificate` with the `--help` argument:

  ```
  replace-certificate replace-inter-server-certificate \
       --bindDN uid=admin,dc=example,dc=com \
       --bindPasswordFile admin-password.txt \
       --source-key-store-file new-inter-server-certificate-keystore.jks \
       --source-key-store-type JKS \
       --source-key-store-password-file new-inter-server-certificate-keystore.pin \
       --source-certificate-alias new-inter-server-cert
  ```

* To delete earlier values that are no longer needed, run the `purge-retired-inter-server-certificates` subcommand.

  |   |                                                                                                                             |
  | - | --------------------------------------------------------------------------------------------------------------------------- |
  |   | By default, the new inter-server certificate is merged with the existing values in the server instance configuration entry. |