Each server instance in a topology has an inter-server certificate that is generated during the setup process. Because this certificate is not exposed to clients, a trusted issuer does not need to sign it. Instead, the topology registry, which represents a mirrored portion of the configuration with information about every PingDirectory Server instance in the environment, contains the information that each instance needs to trust the inter-server certificates for all other instances.

Inter-server certificates can also be used to protect certain secrets that are shared among servers within the topology, like the secrets that are used to digitally sign log files, backups, and LDIF exports. Inter-server certificates also include the encryption keys that reversible password-storage schemes use.

The inter-server certificate is generated with a long lifespan. Replace it only when you suspect that its private key is compromised.