If a private key and certificate in PEM-encoded format already exist, both the original private key and the self-signed certificate can be replaced in ads-truststore by using the manage-certificates tool. Depending on your operating system, the manage-certificates tool is located in the server's bin or bat directory.

Important: If the existing key pair is not in PEM-encoded format, convert it to a format that is compatible with the server’s ads-truststore keystore file format before proceeding.

If you replace the entire key pair instead of only the certificate that is associated with the original private key, your existing backups and LDIF exports might be rendered invalid. To avoid this scenario, perform this step immediately after setup, or at least before the key pair is used. After the first use, change only the certificate associated with the private key to extend its validity period, or to replace it with a certificate that is signed by a different CA.

The following command imports existing certificates into a new keystore file named ads-truststore.new:

manage-certificates import-certificate \
  --keystore ads-truststore.new \
  --keystore-type JKS \
  --keystore-password-file ads-truststore.pin \
  --alias ads-certificate \
  --private-key-file existing.key \
  --certificate-file existing.crt \
  --certificate-file intermediate.crt \
  --certificate-file root-ca.crt

Order the certificates that use the --certificate-file option in such a manner that each subsequent certificate functions as the issuer for the previous one. The server certificate is listed first, any intermediate certificates are listed next, and the root CA certificate is listed last. Because some deployments do not feature an intermediate issuer, you might need to import only the server certificate and a single issuer.