Regardless of whether the server was set up with self-signed or CA-signed certificates, the steps to replace the server certificate are nearly identical.

This task makes the following assumptions:

  • You are replacing the self-signed server certificate.
  • The certificate alias is server-cert.
  • The private key is stored in keystore.
  • The trusted certificates are stored in truststore.
  • The keystore and truststore use the JKS keystore format.

    If a PKCS#12 keystore format was used for the keystore and truststore files during setup, change the --keystore-type argument in the manage-certificate commands to PKCS12 in the relevant steps.

Important: Before attempting to replace the inter-server certificate, ensure that all servers in the topology are updated to version 7.0 or later.

While the certificate is being replaced, existing secure connections continue to work. If the server is restarted, or if a topology change requires a reset of peer connections, the server continues authenticating with its peers, all of whom trust the new certificate.

To replace the server certificate with no downtime, complete the following tasks:

  1. Prepare a new keystore with the replacement key pair.
  2. Import the earlier trusted certificates into the new truststore file.
  3. Update the server configuration to use the new certificate by adding it to the server’s list of listener certificates in the topology registry.
    After this step is performed, other servers will trust the certificate.
  4. Replace the server’s keystore and truststore files with the new ones.
  5. Retire the previous certificate by removing it from the topology registry.
The following sections describe these tasks in more detail.