The server is installed with a self-signed certificate and key
ads-certificate), which are used for internal purposes such as
replication authentication, inter-server authentication in the topology registry, reversible
password encryption, and encrypted backup/LDIF export.
ads-certificate lives in the keystore file called
ads-truststore under the server’s
directory. If your deployment requires removing the self-signed certificate, it can
The certificate is stored in the topology registry, which enables replacing it on one
server and having it mirrored to all other servers in the topology. Any change is
automatically mirrored on other servers in the topology. It is stored in
human-readable PEM-encoded format and can be updated with
The following general steps are required to replace the self-signed certificate:
- Prepare a new keystore with the replacement key-pair.
- Update the server configuration to use the new certificate by adding it to the server's list of certificates in the topology registry so that it is trusted by other servers.
Update the server's
ads-truststorefile to use the new key-pair.
Retire the old certificate by removing it from the topology registry.
Replacing the entire key-pair instead of just the certificate associated with the original private key can make existing backups and LDIF exports invalid. This should be performed immediately after setup or before the key-pair is used. After the first time, only the certificate associated with the private key should have to be changed, for example, to extend its validity period or replace it with a certificate signed by a different CA.