The server is installed with a self-signed certificate and key
(ads-certificate
), which are used for internal purposes such as
replication authentication, inter-server authentication in the topology registry, reversible
password encryption, and encrypted backup/LDIF export.
The ads-certificate
lives in the keystore file called
ads-truststore
under the server’s /config
directory. If your deployment requires removing the self-signed certificate, it can
be replaced.
The certificate is stored in the topology registry, which enables replacing it on one
server and having it mirrored to all other servers in the topology. Any change is
automatically mirrored on other servers in the topology. It is stored in
human-readable PEM-encoded format and can be updated with dsconfig
.
The following general steps are required to replace the self-signed certificate: