Alternatively, to replace the certificate that is associated with the original server-generated, ads-certificate private key, perform the following steps:

  1. Create a CSR for the ads-certificate, as follows:
    manage-certificates generate-certificate-signing-request \
      --keystore ads-truststore \
      --keystore-type JKS \
      --keystore-password-file ads-truststore.pin \
      --alias ads-certificate \
      --use-existing-key-pair \
      --subject-dn "CN=ldap.example.com,O=Example Corporation,C=US" \
      --output-file ads.csr
  2. Submit ads.csr to a CA for signing.
  3. Export the server’s private key into ads.key, as follows:
    manage-certificates export-private-key \
      --keystore ads-truststore \
      --keystore-password-file ads-truststore.pin \
      --alias ads-certificate \
      --output-file ads.key
  4. Import the certificates obtained from the CA – including the CA-signed server certificate, the root CA certificate, and any intermediate certificates – into ads-truststore.new, as follows:
    manage-certificates import-certificate \
      --keystore ads-truststore.new \
      --keystore-type JKS \
      --keystore-password-file ads-truststore.pin \
      --alias ads-certificate \
      --private-key-file ads.key \
      --certificate-file new-ads.crt \
      --certificate-file intermediate.crt \ 
      --certificate-file root-ca.crt