PingDirectory

Updating the server configuration to use the new certificate

To update the server to use the desired key-pair, you must update the inter-server-certificate property for the server instance in the topology registry.

About this task

The old and the new certificates can appear within their own begin and end headers in the inter-servercertificate property to support transitioning from the old certificate to the new one.

Steps

  1. Export the server’s old ads-certificate into old-ads.crt:

    manage-certificates export-certificate \
      --keystore ads-truststore \
      --keystore-password-file ads-truststore.pin \
      --alias ads-certificate \
      --output-file old-ads.crt
  2. Concatenate the old, new certificate, and issuer certificates into one file.

    Choose from:

    • On Windows, use an editor like notepad.

    • On Unix platforms, run the command

      $ cat old-ads.crt new-ads.crt intermediate.crt root-ca.crt > chain.crt
  3. Update the inter-server-certificate property for the server instance in the topology registry using dsconfig:

    $ bin/dsconfig -n set-server-instance-prop \
      --instance-name <instance-name> \
      --set “inter-server-certificate<chain.crt”