PingDirectory

How to regenerate the server ads-certificate

At setup time, the server generates a private key and certificate for use when secure communication between servers is required. This certificate, ads-certificate, is stored in config/ads-truststore and should typically remain unchanged for the life of the server deployment. If the need arises for a new ads-certificate to be created, say because the server-root has been copied to a new host, then the private key and certificate will be recreated by the startup process if the config/ads-truststore and config/ads-truststore.pin files are first manually removed while the server is offline. Note that if replication is enabled, the server must have replication disabled before regeneration of the ads-certificate.

For example, the server allows easy copying of its installation, which can then be used to install another server instance. If a server (ldap1.example.com:389) is enabled with its own copy (ldap2.example.com:389), dsreplication will exit with the following error message:

Replication cannot be enabled between servers ldap1.example.com:389 and ldap2.example.com:389
because they are using the same instance key.

The solution is to stop the server, remove config/adstruststore and config/adstruststore.pin and re-start the server. Upon startup, a new adstruststore, containing the server’s instance key, will be generated. Then, you can re-run dsreplication enable to set up replication between the two servers.