Retire the previous certificate by removing it from the topology registry after it expires.
Remove the previous certificate from the topology registry, as shown in the
following example.
$ dsconfig -n set-server-instance-listener-prop \
--instance-name <instance-name> \
--listener-name ldap-listener-mirrored-config \
--set "listener-certificate<new-server-cert.crt"