How to regenerate the server ads-certificate
At setup time, the server generates a private key and certificate for use when secure communication between servers is required. This certificate, ads-certificate
, is stored in config/ads-truststore
and should typically remain unchanged for the life of the server deployment. If the need arises for a new ads-certificate to be created, say because the server-root has been copied to a new host, then the private key and certificate will be recreated by the startup process if the config/ads-truststore
and config/ads-truststore.pin
files are first manually removed while the server is offline. Note that if replication is enabled, the server must have replication disabled before regeneration of the ads-certificate.
For example, the server allows easy copying of its installation, which can then be used to install another server instance. If a server (ldap1.example.com:389) is enabled with its own copy (ldap2.example.com:389), dsreplication
will exit with the following error message:
Replication cannot be enabled between servers ldap1.example.com:389 and ldap2.example.com:389 because they are using the same instance key.
The solution is to stop the server, remove config/adstruststore
and config/adstruststore.pin
and re-start the server. Upon startup, a new adstruststore
, containing the server’s instance key, will be generated. Then, you can re-run dsreplication enable
to set up replication between the two servers.