Generated during installation, the inter-server certificate is stored under the alias ads-certificate in a file named ads-truststore, which resides in the server’s /config directory. This certificate contains the key pair for the local server as well as for the certificates of all trusted servers, and has a lifetime of 20 years before expiring.

The local server's public key is signed by its own private key, making it a self-signed certificate. The alias is hard-coded to ads-certificate, and the keystore file is hard-coded to ads-truststore. This behavior cannot be modified during setup.

  • Although some customers feel uncomfortable with the self-signed nature of the inter-server certificate, we recommend that you do not replace it with a CA-signed certificate for the following reasons:
    • If the inter-server certificate is replaced incorrectly, serious problems can occur during topology authentication.
    • The inter-server certificate is used for internal purposes only.
  • If the server's access logs contain authentication (bind) errors, the inter-server certificate is most likely configured inappropriately. In the topology registry, this certificate is persisted in the inter-server-certificate property of a server instance.