At setup time, the server generates a private key and certificate for use when secure
communication between servers is required. This certificate, ads-certificate
, is
stored in config/ads-truststore
and should typically remain unchanged for the
life of the server deployment. If the need arises for a new ads-certificate to be created, say
because the server-root has been copied to a new host, then the private key and certificate will
be recreated by the startup process if the config/ads-truststore
and
config/ads-truststore.pin
files are first manually removed while the server is
offline. Note that if replication is enabled, the server must have replication disabled before
regeneration of the ads-certificate.
For example, the Directory Server allows easy copying of its installation, which can then be used to install another server instance. If a server (ldap1.example.com:389) is enabled with its own copy (ldap2.example.com:389), dsreplication will exit with the following error message:
Replication cannot be enabled between servers ldap1.example.com:389 and ldap2.example.com:389 because they are using the same instance key.
The solution is to stop the server, remove config/adstruststore
and
config/adstruststore.pin
and re-start the server. Upon startup, a new
adstruststore
, containing the server's instance key, will be generated. Then,
you can re-run dsreplication enable to set up replication between the two
servers.