Because the inter-server certificate is also stored in the topology registry, it can be replaced on one server and mirrored to all other servers in the topology. Changes are mirrored automatically to the other servers in the topology.

Important: Before attempting to replace the inter-server certificate, ensure that all servers in the topology are updated to version 7.0 or later.

The inter-server certificate is stored in human-readable, PEM-encoded format and can be updated by using the dsconfig tool. While the certificate is being replaced, existing authenticated connections continue to work. If the server is restarted, or if a topology change requires a reset of peer connections, the server continues authenticating with its peers, all of whom trust the new certificate.

To replace the inter-server certificate with no downtime, complete the following tasks:

  1. Prepare a new keystore with the replacement key pair.
  2. Import the earlier trusted certificates into the new keystore.
  3. Update the server configuration to use the new certificate by adding it to the server’s list of certificates in the topology registry.
    After this step is performed, other servers will trust the certificate.
  4. Replace the server’s ads-truststore file with the new one.
  5. Retire the previous certificate by removing it from the topology registry.
The following sections describe these tasks in more detail.