How To

How do I replace the certificates (key pair) used for replication in DS/OpenDJ (All versions?

Last updated Jan 7, 2020

The purpose of this article is to provide assistance on replacing the certificates used for replication. This article covers various scenarios including replacing the self-signed ads-truststore certificates with external or CA signed certificates (both when replication is setup and before it is enabled) and also renewing self-signed certificates.

Replacing certificates

Depending on your existing setup and what you are trying to achieve will determine what process you need to follow. It is very important that you follow the correct process to ensure replication continues to work after replacing your certificates.

The following sections provide a brief description of the scenario and provides links to articles / documentation for the relevant process:

Replacing a self-signed certificate with a CA certificate

The steps needed to replace a self-signed certificate with a CA certificate vary depending on whether replication is enabled or not, and also whether you have a secured environment.

Replacing a self-signed certificate with a newer self-signed certificate

You want to replace an existing self-signed certificate with a newer one. This process is described in the documentation: Administration Guide › To Replace the Key Pair Used for Replication.

See Also

FAQ: SSL certificate management in DS/OpenDJ

Replication in DS/OpenDJ

How do I use externally created SSL keys with DS/OpenDJ (All versions)?

Administration Guide › Changing Server Certificates

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Related Issue Tracker IDs

OPENDJ-5235 (Allow external certificates to be used for replication during setup)

Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.