If the certificate that is associated with the original server-generated private key (server-cert) has expired or must be replaced with a certificate from a different CA, perform the following steps to replace it:

  1. Create a CSR file for the server-cert, as follows:
    manage-certificates generate-certificate-signing-request \
      --keystore keystore \
      --keystore-type JKS \
      --keystore-password-file keystore.pin \
      --alias server-cert \
      --use-existing-key-pair \                
      --subject-dn "CN=ldap.example.com,O=Example Corporation,C=US" \
      --output-file server-cert.csr
  2. Submit server-cert.csr to a CA for signing.
  3. Export the server’s private key into server-cert.key, as follows:
    manage-certificates export-private-key \
      --keystore keystore \
      --keystore-password-file keystore.pin \
      --alias server-cert \
      --output-file server-cert.key
  4. Import the certificates obtained from the CA – including the CA-signed server certificate, the root CA certificate, and any intermediate certificates – into keystore.new, as follows:
    manage-certificates import-certificate \
      --keystore keystore.new \
      --keystore-type JKS \
      --keystore-password-file keystore.pin \
      --alias server-cert \
      --private-key-file server-cert.key \
      --certificate-file server-cert.crt \
      --certificate-file intermediate.crt \
      --certificate-file root-ca.crt