PingDirectory

Replacing the inter-server certificate

During the installation process, the inter-server certificate is generated with a long lifespan and does not require replacement under normal circumstances. You should replace the inter-server certificate only if you suspect that its private key is compromised.

About this task

The inter-server certificate is intended for use only between server instances within the same topology. Because it is not exposed to regular clients, the inter-server certificate does not need to be trusted.

The replace-certificate replace-inter-server-certificate command performs the following steps:

  • Acquires the new inter-server certificate from a provided Java KeyStore (JKS) or PKCS #12 key store

  • Makes the necessary updates to the config/ads-truststore file in the server key store

  • Updates the server instance configuration object to include the new inter-server certificate

To avoid the need to replace the inter-server certificate on a regular basis,use a self-signed certificate with a long lifespan. Each server instance must possess its own, unique inter-server certificate that satisfies the following conditions:

  • Uses an RSA key pair

  • Has a minimum key size of 2048 bits

  • Has a maximum key size of 3072 bits

The following types of certificates are not allowed:

  • Certificates with an elliptic curve key pair

  • Certificates with an RSA key that is smaller than 2048 bits

  • Certificates with an RSA key that is larger than 3072 bits

Steps

  • To replace the inter-server certificate, run the replace-inter-server-certificate subcommand of the replace-certificate.

    The replace-inter-server-certificate subcommand takes a subset of the arguments that are used with the replace-listener-certificate subcommand, including the following arguments:

    • --source-key-store-file <path>

    • --source-key-store-password <password>

    • --source-key-store-password-file <path>

    • --source-certificate-alias <alias>

    • --source-private-key-password <password>

    • --source-private-key-password-file <path>

    The following example illustrates what you see when you run replace-certificate replace-inter-server-certificate with the --help argument:

    replace-certificate replace-inter-server-certificate \
         --bindDN uid=admin,dc=example,dc=com \
         --bindPasswordFile admin-password.txt \
         --source-key-store-file new-inter-server-certificate-keystore.jks \
         --source-key-store-type JKS \
         --source-key-store-password-file new-inter-server-certificate-keystore.pin \
         --source-certificate-alias new-inter-server-cert
  • To delete earlier values that are no longer needed, run the purge-retired-inter-server-certificates subcommand.

    By default, the new inter-server certificate is merged with the existing values in the server instance configuration entry.