The new ads-truststore file,, contains only the server’s new key pair. You must import the currently trusted certificates of other servers in the topology.

To export trusted certificates from ads-truststore and import them into, perform the following steps for each trusted certificate:

  1. Locate the currently trusted certificates, as follows:
    manage-certificates list-certificates \
      --keystore ads-truststore
  2. For each alias other than ads-certificate, or whose fingerprint does not match ads-certificate, perform the following steps:
    1. Export the trusted certificate from ads-truststore, as follows:
      manage-certificates export-certificate \
        --keystore ads-truststore \
        --keystore-password-file \
        --alias <trusted-cert-alias> \
        --export-certificate-chain \
        --output-file <trust-cert-alias>.crt
    2. Import the trusted certificate into, as follows:
      manage-certificates import-certificate \
        --keystore \
        --keystore-type JKS \
        --keystore-password-file \
        --alias <trusted-cert-alias> \
        --certificate-file <trusted-cert-alias>.crt