Whether the server was set up with self-signed or certificate authority (CA)-signed certificates, the steps to replace the server certificate are nearly identical.
This task makes the following assumptions:
- You are replacing the self-signed server certificate.
- The certificate alias is server-cert.
- The private key is stored in keystore.
- The trusted certificates are stored in truststore.
- The keystore and truststore use the Java
KeyStore (JKS) format.
If a PKCS#12 keystore format was used for the keystore and truststore files during setup, change the --keystore-type argument in the manage-certificate commands to PKCS12 in the relevant steps.
While the certificate is being replaced, existing secure connections continue to work. If you restart the server, or if a topology change requires a reset of peer connections, the server continues authenticating with its peers, all of whom trust the new certificate.
To replace the server certificate with no downtime, perform the following steps: