How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I replace the certificates (key pair) used for replication in DS 6.x?

Last updated Jan 11, 2023

The purpose of this article is to provide assistance on replacing the certificates used for replication. This article covers various scenarios including replacing the self-signed ads-truststore certificates with external or CA signed certificates (both when replication is setup and before it is enabled) and also renewing self-signed certificates.


This article does not apply to DS 7 and later, because DS 7 introduces improvements to simplify rotating the key pairs used to secure replication connections. By default, replication now uses the same keys as the other connection handlers. See Key Management for further information.

If you want to use your own SSL certificate to secure replication instead of the default one (ssl-key-pair) in DS 7 and later, see How do I install a CA-signed certificate for use in DS 7.x? for further information.

Replacing certificates

Depending on your existing setup and what you are trying to achieve will determine what process you need to follow. It is very important that you follow the correct process to ensure replication continues to work after replacing your certificates.

The following sections provide a brief description of the scenario, and links to articles and documentation for the relevant process:

Replacing a self-signed certificate with a CA certificate

The steps needed to replace a self-signed certificate with a CA certificate vary depending on whether replication is enabled or not, and also whether you have a secured environment.

Replacing a self-signed certificate with a newer self-signed certificate

You want to replace an existing self-signed certificate with a newer one. This process is described in the documentation: To Replace the Key Pair Used for Replication.

See Also

FAQ: SSL certificate management in DS 6.x

Replication in DS

How do I use externally created SSL keys with DS 6.x?

Changing Server Certificates

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Related Issue Tracker IDs

OPENDJ-5235 (Allow external certificates to be used for replication during setup)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.