Before updating the server to use the appropriate key pair, update the listener-certificate property for the server instance's LDAP listener in the topology registry. To support the transition from an existing certificate to a new one, earlier and newer certificates might appear within their own beginning and ending headers in the listener-certificate property.

To update the server configuration to use the new certificate, perform the following steps:

  1. Export the server’s previous server-cert into old-server-cert.crt, as follows:
    manage-certificates export-certificate \
      --keystore keystore \
      --keystore-password-file keystore.pin \
      --alias server-cert \
      --output-file old-server-cert.crt
  2. Concatenate the previous and new certificate into one file.
    On Windows, use a text editor like Notepad. On Unix, use the following command:
    cat old-server-cert.crt new-server-cert.crt > old-new-server-cert.crt
  3. Use dsconfig to update the listener-certificate property for the server instance's LDAP listener in the topology registry, as follows:
    $ bin/dsconfig -n set-server-instance-listener-prop \
      --instance-name <instance-name> \
      --listener-name ldap-listener-mirrored-config \
      --set "listener-certificate<old-new-server-cert.crt"