All existing encrypted backups and LDIF exports are not affected because the public key in the old and new server certificates are the same, and the private key will be able to decrypt them.

  • To retire the old certificate, run the commands:
    $ cat new-ads.crt intermediate.crt root-ca.crt > chain.crt
    $ bin/dsconfig -n set-server-instance-prop \
      --instance-name <instance-name> \
      --set “inter-server-certificate<chain.crt”