How do I replace the certificates (key pair) used for replication in DS/OpenDJ (All versions?
The purpose of this article is to provide assistance on replacing the certificates used for replication. This article covers various scenarios including replacing the self-signed ads-truststore certificates with external or CA signed certificates (both when replication is setup and before it is enabled) and also renewing self-signed certificates.
Replacing certificates
Depending on your existing setup and what you are trying to achieve will determine what process you need to follow. It is very important that you follow the correct process to ensure replication continues to work after replacing your certificates.
The following sections provide a brief description of the scenario and provides links to articles / documentation for the relevant process:
Replacing a self-signed certificate with a CA certificate
The steps needed to replace a self-signed certificate with a CA certificate vary depending on whether replication is enabled or not, and also whether you have a secured environment.
- Replication is NOT enabled - You have not yet enabled replication but want to replace the default self-signed ads-truststore certificates with an external or CA signed certificate. See How do I configure a CA Signed certificate for replication in DS/OpenDJ (All versions) - [replication is NOT enabled]? for further information.
- Replication is enabled - You want to replace the default self-signed ads-truststore certificates with a CA signed certificate and already have replication enabled (non-secured environment). See How do I configure a CA Signed certificate for replication DS/OpenDJ (All versions) - [replication is enabled]? for further information.
- Replication is enabled AND you have a secured environment - You want to replace the default self-signed ads-truststore certificates with a CA signed certificate and have a secured environment (production mode enabled, secure communication for replication and encrypted backends) and downtime is not an option. See How do I configure a CA Signed certificate for replication in a secured DS (All versions) with no downtime - [replication is enabled]? for further information.
Replacing a self-signed certificate with a newer self-signed certificate
You want to replace an existing self-signed certificate with a newer one. This process is described in the documentation: Administration Guide › To Replace the Key Pair Used for Replication.
See Also
FAQ: SSL certificate management in DS/OpenDJ
How do I use externally created SSL keys with DS/OpenDJ (All versions)?
Related Training
Related Issue Tracker IDs
OPENDJ-5235 (Allow external certificates to be used for replication during setup)