To support the transition from an existing certificate to a new one, earlier and newer certificates might appear within their own beginning and ending headers in the listener-certificate property.

To update the server configuration to use the new certificate, perform the following steps:

  1. Export the server’s previous server-cert into old-server-cert.crt.
    manage-certificates export-certificate \
      --keystore keystore \
      --keystore-password-file \
      --alias server-cert \
      --output-file old-server-cert.crt
  2. Concatenate the previous and new certificate into one file.

    On Windows, use a text editor like Notepad. On Unix, use the following command.

    cat old-server-cert.crt new-server-cert.crt > old-new-server-cert.crt
  3. Use dsconfig to update the listener-certificate property for the server instance's LDAP listener in the topology registry.
    $ bin/dsconfig -n set-server-instance-listener-prop \
      --instance-name instance-name> \
      --listener-name ldap-listener-mirrored-config \
      --set "listener-certificate<old-new-server-cert.crt"