Replacing the inter-server certificate
During the installation process, the inter-server certificate is generated with a long lifespan and does not require replacement under normal circumstances. You should replace the inter-server certificate only if you suspect that its private key is compromised.
About this task
The inter-server certificate is intended for use only between server instances within the same topology. Because it is not exposed to regular clients, the inter-server certificate does not need to be trusted.
The replace-certificate replace-inter-server-certificate command performs the following steps:
-
Acquires the new inter-server certificate from a provided Java KeyStore (JKS) or PKCS #12 key store
-
Makes the necessary updates to the
config/ads-truststorefile in the server key store -
Updates the server instance configuration object to include the new inter-server certificate
|
To avoid the need to replace the inter-server certificate on a regular basis,use a self-signed certificate with a long lifespan. Each server instance must possess its own, unique inter-server certificate that satisfies the following conditions:
The following types of certificates are not allowed:
|
Steps
-
To replace the inter-server certificate, run the
replace-inter-server-certificatesubcommand of thereplace-certificate.The
replace-inter-server-certificatesubcommand takes a subset of the arguments that are used with thereplace-listener-certificatesubcommand, including the following arguments:-
--source-key-store-file {path}--source-key-store-password {password} -
--source-key-store-password-file {path} -
--source-certificate-alias {alias} -
--source-private-key-password {password} -
--source-private-key-password-file {path}
-
-
To delete earlier values that are no longer needed, run the
purge-retired-inter-server-certificatessubcommand.By default, the new inter-server certificate is merged with the existing values in the server instance configuration entry.