How do I replace the certificates (key pair) used for replication in DS 6.x?
The purpose of this article is to provide assistance on replacing the certificates used for replication. This article covers various scenarios including replacing the self-signed ads-truststore certificates with external or CA signed certificates (both when replication is setup and before it is enabled) and also renewing self-signed certificates.
Note
This article does not apply to DS 7 and later, because DS 7 introduces improvements to simplify rotating the key pairs used to secure replication connections. By default, replication now uses the same keys as the other connection handlers. See Key Management for further information.
If you want to use your own SSL certificate to secure replication instead of the default one (ssl-key-pair) in DS 7 and later, see How do I install a CA-signed certificate for use in DS 7.x? for further information.
Replacing certificates
Depending on your existing setup and what you are trying to achieve will determine what process you need to follow. It is very important that you follow the correct process to ensure replication continues to work after replacing your certificates.
The following sections provide a brief description of the scenario, and links to articles and documentation for the relevant process:
- Replacing a self-signed certificate with a CA certificate
- Replacing a self-signed certificate with a newer self-signed certificate
Replacing a self-signed certificate with a CA certificate
The steps needed to replace a self-signed certificate with a CA certificate vary depending on whether replication is enabled or not, and also whether you have a secured environment.
- Replication is NOT enabled - You have not yet enabled replication but want to replace the default self-signed ads-truststore certificates with an external or CA signed certificate. See How do I configure a CA Signed certificate for replication in DS 6.x - [replication is NOT enabled]? for further information.
- Replication is enabled - You want to replace the default self-signed ads-truststore certificates with a CA signed certificate and already have replication enabled (non-secured environment). See How do I configure a CA Signed certificate for replication in DS 6.x - [replication is enabled]? for further information.
- Replication is enabled AND you have a secured environment - You want to replace the default self-signed ads-truststore certificates with a CA signed certificate and have a secured environment (production mode enabled, secure communication for replication and encrypted backends) and downtime is not an option. See How do I configure a CA Signed certificate for replication in a secured DS 6.x with no downtime - [replication is enabled]? for further information.
Replacing a self-signed certificate with a newer self-signed certificate
You want to replace an existing self-signed certificate with a newer one. This process is described in the documentation: To Replace the Key Pair Used for Replication.
See Also
FAQ: SSL certificate management in DS 6.x
How do I use externally created SSL keys with DS 6.x?
Related Training
ForgeRock Directory Services Core Concepts (DS-400)
Related Issue Tracker IDs
OPENDJ-5235 (Allow external certificates to be used for replication during setup)