How To

How do I replace the certificates (key pair) used for replication in DS 5.x, 6.x or OpenDJ 3.x?

Last updated Aug 10, 2020

The purpose of this article is to provide assistance on replacing the certificates used for replication. This article covers various scenarios including replacing the self-signed ads-truststore certificates with external or CA signed certificates (both when replication is setup and before it is enabled) and also renewing self-signed certificates.


Replacing certificates

Depending on your existing setup and what you are trying to achieve will determine what process you need to follow. It is very important that you follow the correct process to ensure replication continues to work after replacing your certificates.

Note

DS 7 introduces improvements to simplify rotating the key pairs used to secure replication connections. By default, replication now uses the same keys as the other connection handlers. See Security Guide › Key Management for further information.

The following sections provide a brief description of the scenario, and provides links to articles and documentation for the relevant process:

Replacing a self-signed certificate with a CA certificate

The steps needed to replace a self-signed certificate with a CA certificate vary depending on whether replication is enabled or not, and also whether you have a secured environment.

Replacing a self-signed certificate with a newer self-signed certificate

You want to replace an existing self-signed certificate with a newer one. This process is described in the documentation: Administration Guide › To Replace the Key Pair Used for Replication.

See Also

FAQ: SSL certificate management in DS 5.x, 6.x or OpenDJ 3.x

Replication in DS/OpenDJ

How do I use externally created SSL keys with DS 5.x, 6.x or OpenDJ 3.x?

Administration Guide › Changing Server Certificates

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Related Issue Tracker IDs

OPENDJ-5235 (Allow external certificates to be used for replication during setup)



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...