During the installation process, the inter-server certificate is generated with a long lifespan and does not require replacement under normal circumstances. You should replace the inter-server certificate only if you suspect that its private key is compromised.
The inter-server certificate is intended for use only between server instances within the same topology. Because it is not exposed to regular clients, the inter-server certificate does not need to be trusted.
The replace-certificate replace-inter-server-certificate command performs the following steps:
- Acquires the new inter-server certificate from a provided Java KeyStore (JKS) or PKCS #12 key store
- Makes the necessary updates to the config/ads-truststore file in the server key store
- Updates the server instance configuration object to include the new inter-server certificate
To avoid the need to replace the inter-server certificate on a regular basis,use a self-signed certificate with a long lifespan. Each server instance must possess its own, unique inter-server certificate that satisfies the following conditions:
- Uses an RSA key pair
- Has a minimum key size of 2048 bits
- Has a maximum key size of 3072 bits
The following types of certificates are not allowed:
- Certificates with an elliptic curve key pair
- Certificates with an RSA key that is smaller than 2048 bits
- Certificates with an RSA key that is larger than 3072 bits