To configure a trusted certificate in PingDirectory, you must replace the default self-signed certificate in the keystore with the trusted certificate. You must ensure that the referenced certificate files are in PEM certificate format.

  1. On the PingDirectory server in the installed directory, execute the following command.
    bin/manage-certificates change-certificate-alias \
    > --keystore config/keystore \
    > --keystore-password-file config/ \
    > --current-alias server-cert \
    > --new-alias server-cert-prev
    # Initializing the server's encryption framework...
    Successfully changed the alias from 'server-cert' to 'server-cert-prev'.
  2. Import the new trusted certificate to the keystore with the server-cert alias.
    bin/manage-certificates import-certificate \
    > --keystore config/keystore \
    > --keystore-password-file config/ \
    > --alias server-cert \
    > --private-key-file \
    > --certificate-file \
    > --certificate-file intermediate.crt
    # Initializing the server's encryption framework...
    The following certificate chain will be imported into the keystore, along with
    a private key, into alias 'server-cert':
    < Certificate Displayed Here >
    Do you want to import this certificate chain into the keystore? yes
    Successfully imported the certificate chain and its associated private key.
The trusted certificate is installed for use by the PingDirectory LDAPS Listener. IdentityIQ can now connect to PingDirectory over LDAPS.