Preparing a new keystore with the replacement key-pair
Prepare a new keystore with an existing key-pair or using a certificate associated with the original key-pair.
The self-signed certificate can be replaced with an existing key-pair, or the certificate associated with the original key-pair can be used.
Use an existing key-pair
If a private key and certificate in PEM-encoded format already exist, both the original private key and self-signed certificate can be replaced in ads-truststore
with the managecertificates
tool. The follow command imports existing certificates into a new keystore file, ads-truststore.new
:
$ bin/manage-certificates import-certificate \
--keystore ads-truststore.new \
--keystore-type JKS \
--keystore-password-file ads-truststore.pin \
--alias ads-certificate \
--private-key-file existing.key \
--certificate-file existing.crt \
--certificate-file intermediate.crt \
--certificate-file root-ca.crt
The certificates listed using the --certificate-file options must be ordered so that each subsequent certificate is the issuer for the previous one. So the server certificate comes first, the intermediate certificates next (if any), and the root CA certificate last. |
Use the certificate associated with the original key-pair
The certificate associated with the original sever-generated private key can be replaced with the following commands.
-
Create a CSR for the
ads-certificate
:$ bin/manage-certificates generate-certificate-signing-request \ --keystore ads-truststore \ --keystore-type JKS \ --keystore-password-file ads-truststore.pin \ --alias ads-certificate \ --use-existing-key-pair \ --subject-dn "CN=ldap.example.com,O=Example Corporation,C=US" \ --output-file ads.csr
-
Submit
ads.csr
to a CA for signing. -
Export the server’s private key into
ads.key
:$ bin/manage-certificates export-private-key \ --keystore ads-truststore \ --keystore-password-file ads-truststore.pin \ --alias ads-certificate \ --output-file ads.key
-
Import the certificates obtained from the CA (the CA-signed server certificate, any intermediate certificates, and root CA certificate) into
ads-truststore.new
:$ bin/manage-certificates import-certificate \ --keystore ads-truststore.new \ --keystore-type JKS \ --keystore-password-file ads-truststore.pin \ --alias ads-certificate \ --private-key-file ads.key \ --certificate-file new-ads.crt \ --certificate-file intermediate.crt \ --certificate-file root-ca.crt