The self-signed certificate can be replaced with an existing key-pair, or the certificate associated with the original key-pair can be used.

Use an existing key-pair

If a private key and certificate in PEM-encoded format already exist, both the original private key and self-signed certificate can be replaced in ads-truststore with the managecertificates tool. The follow command imports existing certificates into a new keystore file, ads-truststore.new:
$ bin/manage-certificates import-certificate \
  --keystore ads-truststore.new \
  --keystore-type JKS \
  --keystore-password-file ads-truststore.pin \
  --alias ads-certificate \
  --private-key-file existing.key \
  --certificate-file existing.crt \
  --certificate-file intermediate.crt \
  --certificate-file root-ca.crt
Note:

The certificates listed using the --certificate-file options must be ordered so that each subsequent certificate is the issuer for the previous one. So the server certificate comes first, the intermediate certificates next (if any), and the root CA certificate last.

Use the certificate associated with the original key-pair

The certificate associated with the original sever-generated private key can be replaced with the following commands.

  1. Create a CSR for the ads-certificate:
    $ bin/manage-certificates generate-certificate-signing-request \
      --keystore ads-truststore \
      --keystore-type JKS \
      --keystore-password-file ads-truststore.pin \
      --alias ads-certificate \
      --use-existing-key-pair \
      --subject-dn "CN=ldap.example.com,O=Example Corporation,C=US" \
      --output-file ads.csr
  2. Submit ads.csr to a CA for signing.
  3. Export the server's private key into ads.key:
    $ bin/manage-certificates export-private-key \
      --keystore ads-truststore \
      --keystore-password-file ads-truststore.pin \
      --alias ads-certificate \
      --output-file ads.key
  4. Import the certificates obtained from the CA (the CA-signed server certificate, any intermediate certificates, and root CA certificate) into ads-truststore.new:
    $ bin/manage-certificates import-certificate \
      --keystore ads-truststore.new \
      --keystore-type JKS \
      --keystore-password-file ads-truststore.pin \
      --alias ads-certificate \
      --private-key-file ads.key \
      --certificate-file new-ads.crt \
      --certificate-file intermediate.crt \
      --certificate-file root-ca.crt