Each server instance in a topology has an inter-server certificate that is generated during the setup process.
The inter-server certificate is not exposed to clients, so a trusted issuer does not need to sign it. Instead, the topology registry, representing a mirrored portion of the configuration with information about every PingDirectory server instance in the environment, contains the information that each instance needs to trust the inter-server certificates for all other instances.
Inter-server certificates can be used to protect certain secrets that are shared among servers within the topology, like the secrets that are used to digitally sign log files, backups, and LDIF exports. Inter-server certificates include the encryption keys that reversible password-storage schemes use.
The inter-server certificate is generated with a long lifespan. Replace it only when you suspect that its private key is compromised.