If a private key and certificate in PEM-encoded format already exist, both the original
private key and the self-signed certificate can be replaced in
ads-truststore
by using the manage-certificates
tool. Depending on your operating system, the manage-certificates tool
is located in the server's bin or bat
directory.
If you replace the entire key pair instead of only the certificate that is associated with the original private key, your existing backups and LDIF exports might be rendered invalid. To avoid this scenario, perform this step immediately after setup, or at least before the key pair is used. After the first use, change only the certificate associated with the private key to extend its validity period, or to replace it with a certificate that is signed by a different CA.
The following command imports existing certificates into a new keystore file named
ads-truststore.new
:
manage-certificates import-certificate \
--keystore ads-truststore.new \
--keystore-type JKS \
--keystore-password-file ads-truststore.pin \
--alias ads-certificate \
--private-key-file existing.key \
--certificate-file existing.crt \
--certificate-file intermediate.crt \
--certificate-file root-ca.crt
Order the certificates that use the --certificate-file option in such a manner that each subsequent certificate functions as the issuer for the previous one. The server certificate is listed first, any intermediate certificates are listed next, and the root CA certificate is listed last. Because some deployments do not feature an intermediate issuer, you might need to import only the server certificate and a single issuer.