Updating the server instance listener certificates
To change the SSL certificate for the server, update the keystore and truststore files with the new certificate.
About this task
The certificate file must have the new certificate in PEM-encoded format, such as:
-----BEGIN CERTIFICATE----- MIIDKTCCAhGgAwIBAgIEacgGrDANBgkqhkiG9w0BAQsFADBFMR4wHAYDVQQKExVVbmJvdW5kSUQgQ2 VydGlmaWNhdGUxIzAhBgNVBAMTGnZtLW1lZGl1bS03My51bmJvdW5kaWQubGFiMB4XDTE1MTAxMjE1 MzU0OFoXDTM1MTAwNzE1MzU0OFowRTEeMBwGA1UEChMVVW5ib3VuZElEIENlcnRpZmljYXRlMSMwIQ YDVQQDExp2bS1tZWRpdW0tNzMudW5ib3VuZGlkLmxhYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKN4tAN3o9Yw6Cr9hivwVDxJqF6+aEi9Ir3WGFYLSrggRNXsiAOfWkSMWdIC5vyF5OJ9Dl IgvHL4OuqP/YNEGzKDkgr6MwtUeVSK14+dCixygJGC0nY7k+f0WSCjtIHzrmc4WWdrZXmgb+qv9Lup S30JG0FXtcbGkYpjaKXIEqMg4ekz3B5cAvE0SQUFyXEdN4rWOn96nVFkb2CstbiPzAgne2tu7paJ6S GFOW0UF7v018XY1m2WHBIoD0WC8nOVLTG9zFUavaOxtlt1TlhClkI4HRMNg8n2EtSTdQRizKuw9DdT XJBb6Kfvnp/nI73VHRyt47wUVueehEDfLtDP8pMCAwEAAaMhMB8wHQYDVR0OBBYEFMrwjWxl2K+yd9 +Y65oKn0g5jITgMA0GCSqGSIb3DQEBCwUAA4IBAQBpsBYodblUGew+HewqtO2i8Wt+vAbt31zM5/kR vo6/+iPEASTvZdCzIBcgletxKGKeCQ0GPeHr42+erakiwmGDlUTYrU3LU5pTGTDLuR2IllTT5xlEhC WJGWipW4q3Pl3cX/9m2ffY/JLYDfTJaoJvnXrh7Sg719skkHjWZQgOHXlkPLx5TxFGhAovE1D4qLVR WGohdpWDrIgFh0DVfoyAn1Ws9ICCXdRayajFI4Lc6K1m6SA5+25Y9nno8BhVPf4q5OW6+UDc8MsLbB sxpwvR6RJ5cv3ypfOriTehJsG+9ZDo7YeqVsTVGwAlW3PiSd9bYP/8yu9Cy+0MfcWcSeAE -----END CERTIFICATE-----
If clients that already have a secure connection established with this server need to be maintained, information about both certificates can reside in the same file (each with their own begin and end headers and footers). If the listener certificate needs to be updated, it might be temporarily necessary for this property to have information about the old and new certificates. This can be done by including information about both certificates in the same file, each with their own begin and end headers and footers. Blank lines, and lines that start with the # character will be ignored.
After the keystore and truststore files are updated, run the following dsconfig
command to update the server’s certificate in the topology registry:
$ bin/dsconfig set-server-instance-listener-prop \
--instance-name <server-instance-name> \
--listener-name ldap-listener-mirrored-config \
--set listener-certificate<path-to-new-certificate-file
The listener-certificate
in the topology registry is like a trust store. The public certificates that it has are automatically trusted by the local server. When the local server attempts a secure LDAP connection to a peer, and the peer presents it with its certificate, the local server will check the listener-certificate
property for that server in the topology registry. If the property contains the peer server’s certificate, the local server will trust the peer.
Steps
-
Update keystore and trust store files with new SSLcert.
-
Run the
dsconfig
to update the servers cert in the topology registry.