During setup, administrators have the option of using self-signed certificates or CA-signed certificates for the server certificate. Where possible, we encourage the use of CA-signed certificates. Self-signed certificates are recommended only for demonstration and proof-of-concept environments.

If you specify the option --generateSelfSignedCertificate during setup, the server certificate is generated automatically with the alias server-cert. The key pair consists of the private key and the self-signed certificate, and is stored in a file named keystore, which resides in the server's /config directory. The certificates for all the servers that the server trusts are stored in the truststore file, which is also located under the server's /config directory.

To override the server certificate alias and the files that store the key pair and certificates, use the following arguments during setup:

  • --certNickname
  • --use*Keystore
  • --use*Truststore

For more information about these arguments, refer to the setup tool’s Help and the Installation Guide.

Important: If the server's access logs contain authentication (bind) errors, the inter-server certificate is most likely configured inappropriately. In the topology registry, this certificate is persisted in a Server Instance Listener’s listener-certificate property.