The ads-certificate lives in the keystore file called ads-truststore under the server’s /config directory. If your deployment requires removing the self-signed certificate, it can be replaced.

The certificate is stored in the topology registry, which enables replacing it on one server and having it mirrored to all other servers in the topology. Any change is automatically mirrored on other servers in the topology. It is stored in human-readable PEM-encoded format and can be updated with dsconfig. The following general steps are required to replace the self-signed certificate:

  1. Prepare a new keystore with the replacement key-pair.
  2. Update the server configuration to use the new certificate by adding it to the server's list of certificates in the topology registry so that it is trusted by other servers.
  3. Update the server's ads-truststore file to use the new key-pair.
  4. Retire the old certificate by removing it from the topology registry.

    Replacing the entire key-pair instead of just the certificate associated with the original private key can make existing backups and LDIF exports invalid. This should be performed immediately after setup or before the key-pair is used. After the first time, only the certificate associated with the private key should have to be changed, for example, to extend its validity period or replace it with a certificate signed by a different CA.