Because the inter-server certificate is also stored in the topology registry, it can be replaced on one server and mirrored to all other servers in the topology. Changes are mirrored automatically to the other servers in the topology.
The inter-server certificate is stored in human-readable, PEM-encoded format and can
be updated by using the dsconfig
tool. While the certificate is
being replaced, existing authenticated connections continue to work. If the server
is restarted, or if a topology change requires a reset of peer connections, the
server continues authenticating with its peers, all of whom trust the new
certificate.
To replace the inter-server certificate with no downtime, complete the following tasks: