Because the inter-server certificate is also stored in the topology registry, it can be replaced on one server and mirrored to all other servers in the topology. Changes are mirrored automatically to the other servers in the topology.
The inter-server certificate is stored in human-readable, PEM-encoded format and can
be updated by using the
dsconfig tool. While the certificate is
being replaced, existing authenticated connections continue to work. If the server
is restarted, or if a topology change requires a reset of peer connections, the
server continues authenticating with its peers, all of whom trust the new
To replace the inter-server certificate with no downtime, complete the following tasks:
- Prepare a new keystore with the replacement key pair.
- Import the earlier trusted certificates into the new keystore.
Update the server configuration to use the new certificate by adding it to the
server’s list of certificates in the topology registry.
After this step is performed, other servers will trust the certificate.
Replace the server’s
ads-truststorefile with the new one.
- Retire the previous certificate by removing it from the topology registry.