docbkx/admin-guide/chap-change-certs.xml

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<?xml version="1.0" encoding="UTF-8"?>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<!--
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !      Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! CCPL HEADER END
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  !      Copyright 2013-2014 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-->
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<chapter xml:id='chap-change-certs'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
08248b5c5b494aff8d1922e8e0b5777796d7450dmark         xsi:schemaLocation='http://docbook.org/ns/docbook
08248b5c5b494aff8d1922e8e0b5777796d7450dmark                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
08248b5c5b494aff8d1922e8e0b5777796d7450dmark         xmlns:xlink='http://www.w3.org/1999/xlink'>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Changing Server Certificates</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Certificates</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ uses key stores (for private keys) and trust stores (for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark public, signed certificates). Up to three sets of key stores are used,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark as shown in the following illustration.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <mediaobject xml:id="figure-keystores">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <imageobject>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <imagedata fileref="images/keystores.png" format="PNG" />
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </imageobject>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <caption><para>OpenDJ uses different sets of public and private keys for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  different secure connections.</para></caption>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </mediaobject>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>By default the key stores are located in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <filename>/path/to/opendj/config</filename> directory.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>The <filename>keystore</filename> and <filename>truststore</filename>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   hold keys for securing connections with client applications.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>The <filename>admin-keystore</filename> and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <filename>admin-truststore</filename> hold keys for securing administrative
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   connections, such as those used when connecting with the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <command>dsconfig</command> command.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>The <filename>ads-truststore</filename> holds keys for securing
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   replication connections with other OpenDJ servers in the replication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   topology.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>Each key store has a specific purpose.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <term><filename>admin-keystore</filename></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>This Java Key Store holds the private key and administrative
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    certificate for the server, <literal>admin-cert</literal>. This key pair
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    is used to protect communications on the administration port. The password,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    stored in <filename>admin-keystore.pin</filename>, is also the key password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    for <literal>admin-cert</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <term><filename>admin-truststore</filename></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>This Java Key Store holds a copy of the administrative certificate,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>admin-cert</literal>. The password is the same as for the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <filename>admin-keystore</filename>, in other words the string in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <filename>admin-keystore.pin</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <term><filename>ads-truststore</filename></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>This Java Key Store holds public key certificates of all servers
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    replicating with the current server. It also includes the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>ads-certificate</literal> key pair of the current server.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    The password is stored in <filename>ads-truststore.pin</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Do not change this key store directly.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <term><filename>keystore</filename></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>This Java Key Store holds the private key and server certificate,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>server-cert</literal>, used to protect TLS/SSL communications
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    with client applications. The password, stored in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <filename>keystore.pin</filename>, is also the key password for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>server-cert</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <term><filename>truststore</filename></term>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>This Java Key Store holds a copy of the <literal>server-cert</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    certificate from the <filename>keystore</filename>. This is also where you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    import certificates of client applications if you want OpenDJ to recognize
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    them. The password is the same as for the <filename>keystore</filename>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    in other words the string in <filename>keystore.pin</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </varlistentry>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </variablelist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <tip>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>Examples in this chapter use self-signed certificates, but you can
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  also use certificates signed by a Certificate Authority (CA).</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>When importing a certificate (<command>keytool -import</command>)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  signed by a well-known CA, use the <option>-trustcacerts</option> option
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  to trust the CA certificates delivered with the Java runtime
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  environment.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </tip>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="replace-key-pair">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>To Replace a Server Key Pair</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>This procedure shows how to replace a server key pair in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <filename>admin-keystore</filename> and copy of the administrative certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  in <filename>admin-truststore</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>The examples also apply when replacing a key pair in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <filename>keystore</filename> and copy of the server certificate in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <filename>truststore</filename>. Just adapt the commands to use the correct
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  key store, trust store, and PIN file names.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>This procedure does not apply for replication key pairs. Instead, see
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <xref linkend="replace-ads-cert" />.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Check the alias of the key pair and certificate copy to replace.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cd /path/to/opendj/config</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool -list -keystore admin-keystore -storepass `cat admin-keystore.pin`</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Keystore type: JKS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeystore provider: SUN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkYour keystore contains 1 entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadmin-cert, Mar 15, 2013, PrivateKeyEntry,
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkCertificate fingerprint (SHA1): 54:9F:C3:F8:7B:B6:...:0A:98:D0:17:8E</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool -list -keystore admin-truststore -storepass `cat admin-keystore.pin`</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Keystore type: JKS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeystore provider: SUN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkYour keystore contains 1 entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadmin-cert, Mar 15, 2013, trustedCertEntry,
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkCertificate fingerprint (SHA1): 54:9F:C3:F8:7B:B6:...:0A:98:D0:17:8E</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>This alias is also stored in the server configuration.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Remove the key pair and certificate copy to replace.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -delete \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias admin-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore admin-keystore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat admin-keystore.pin`</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -delete \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias admin-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore admin-truststore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat admin-keystore.pin`</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Generate a new key pair in the key store.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen width="85">
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -genkey \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias admin-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keyalg RSA \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -validity 7300 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keysize 2048 \
fa45b27dca2b25b4974c90ff996278a3e4305fd1mark -ext "san=dns:opendj.example.com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -dname "CN=opendj.example.com, O=Administration Connector Self-Signed Certificate" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore admin-keystore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat admin-keystore.pin` \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keypass `cat admin-keystore.pin`</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Notice that the <option>-alias</option> option takes the same alias
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   as before. This is because the <literal>ssl-cert-nickname</literal> for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   the Administration Connector is configured as <literal>admin-cert</literal>.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   Also, the <option>-dname</option> option has a CN value corresponding to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   fully-qualified domain name of the host where OpenDJ directory server is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   running.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Get the new key pair's certificate signed, using one of the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   alternatives.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <stepalternatives>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>Self-sign the certificate.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark     <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -selfcert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias admin-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore admin-keystore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat admin-keystore.pin`</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark     </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>Create a certificate signing request, have it signed by a CA, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     import the signed certificate from the CA reply.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>For examples of the <command>keytool</command> commands to use, see
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     the procedure <link xlink:href="admin-guide#new-ca-signed-cert"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     xlink:role="http://docbook.org/xlink/role/olink"><citetitle>To Request and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     Install a CA-Signed Certificate</citetitle></link>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </stepalternatives>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Export a copy of the certificate from the key store.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -export \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias admin-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore admin-keystore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat admin-keystore.pin` \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -file admin-cert.crt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Certificate stored in file &lt;admin-cert.crt&gt;</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Import the copy of the certificate into the trust store.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen width="81">
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -import \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias admin-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore admin-truststore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat admin-keystore.pin` \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -file admin-cert.crt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkIssuer: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: 904fc2b
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Fri Mar 15 15:15:20 CET 2013 until: Thu Jun 13 16:15:20 CEST 2013
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  MD5:  DD:2A:A1:3A:39:87:DF:02:15:A4:8A:9D:77:89:F1:E4
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  SHA1: E1:99:82:92:D7:9B:28:B7:93:D2:B5:5B:C9:DA:4E:D2:62:C2:E7:B0
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  SHA256: C5:34:9C:04:E2:87:A9:B1:72:B5:...:99:86:3A:02:28:D0:AB:02:5F:F4:BE
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  Signature algorithm name: SHA256withRSA
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  Version: 3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkExtensions:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
fa45b27dca2b25b4974c90ff996278a3e4305fd1mark#1: ObjectId: 2.5.29.17 Criticality=false
fa45b27dca2b25b4974c90ff996278a3e4305fd1markSubjectAlternativeName [
fa45b27dca2b25b4974c90ff996278a3e4305fd1mark  DNSName: opendj.example.com
fa45b27dca2b25b4974c90ff996278a3e4305fd1mark]
fa45b27dca2b25b4974c90ff996278a3e4305fd1mark
fa45b27dca2b25b4974c90ff996278a3e4305fd1mark#2: ObjectId: 2.5.29.14 Criticality=false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSubjectKeyIdentifier [
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeyIdentifier [
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0000: FE 33 69 67 FF E8 64 F6   D3 FB CD 14 1C D3 01 44  .3ig..d........D
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0010: EE 62 40 DD                                        .b@.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkTrust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Certificate was added to keystore</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Restart OpenDJ to make sure it reloads the key stores.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cd /path/to/opendj/bin</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>stop-ds --restart</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>If you have client applications trusting the self-signed certificate,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   have them import the new one (<filename>admin-cert.crt</filename> in this
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   example).</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="replace-ads-cert">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>To Replace the Key Pair Used for Replication</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>Follow these steps to replace the key pair that is used to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  secure replication connections.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Generate a new key pair for the server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>The changes you perform are replicated across the topology.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>OpenDJ has an <literal>ads-certificate</literal> and private
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   key, which is a local copy of the key pair used to secure replication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   connections.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>To generate the new key pair, you remove the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <literal>ads-certificate</literal> key pair, prompt OpenDJ to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   generate a new <literal>ads-certificate</literal> key pair, and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   then add a copy to the administrative data using the MD5 fingerprint
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   of the certificate to define the RDN.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>Delete the <literal>ads-certificate</literal> entry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark     <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: delete
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing DELETE request for ds-cfg-key-id=ads-certificate,cn=ads-truststore
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkDELETE operation successful for DN ds-cfg-key-id=ads-certificate,
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=ads-truststore</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark     </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Prompt OpenDJ to generate a new, self-signed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>ads-certificate</literal> key pair.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>You do this by adding an <literal>ads-certificate</literal> entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    with object class <literal>ds-cfg-self-signed-cert-request</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: add
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectclass: ds-cfg-self-signed-cert-request
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing ADD request for ds-cfg-key-id=ads-certificate,cn=ads-truststore
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN ds-cfg-key-id=ads-certificate,cn=ads-truststore</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Retrieve the <literal>ads-certificate</literal> entry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN cn=ads-truststore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(ds-cfg-key-id=ads-certificate)"</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-cfg-key-id: ads-certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark 0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark CBiQKBgQCfGLAiUOz4sC8CM9T5DPTk9V9ErNC8N59XwBt1aN7UjhQl4/JZZsetubtUrZBLS9cRrnYdZ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cpFgLQNEmXifS+PdZ0DJkaLNFmd8ZX0spX8++fb4SkkggkmNRmi1fccDQ/DHMlwl7kk884lXummrzcD
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark 7IvpE7jGVZh6KvM0m5sBNX3wPbTVJQNij3TDm8nx6yhi6DUkpiAZfz/OBL5k+WSw80TjpIZ2+klhP1s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkobjectClass: ds-cfg-instance-key</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Retrieve the MD5 fingerprint of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>ads-certificate</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>In this example, the MD5 fingerprint is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -list \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -v \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias ads-certificate \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore /path/to/opendj/config/ads-truststore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat /path/to/opendj/config/ads-truststore.pin`</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Alias name: ads-certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCreation date: Feb 7, 2013
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkEntry type: PrivateKeyEntry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate chain length: 1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate[1]:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkOwner: CN=opendj.example.com, O=OpenDJ Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkIssuer: CN=opendj.example.com, O=OpenDJ Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: ca49416
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Thu Feb 07 11:30:33 CET 2013 until: Wed Feb 02 11:30:33 CET 2033
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  MD5:  07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  SHA1: 56:30:F6:79:AA:C0:BD:61:88:3E:FB:38:38:9D:84:70:0B:E4:43:57
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  SHA256: A8:4B:81:EE:30:2A:0C:09:2E:...:C1:41:F5:AB:19:C6:EE:AB:50:64
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  Signature algorithm name: SHA1withRSA
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  Version: 3</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Using the MD5 fingerprint and the certificate entry, prepare LDIF
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    to update <literal>cn=admin data</literal> with the new server
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    certificate.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat /path/to/update-server-cert.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,cn=instance keys,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=admin data
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: add
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark LmNvbTAeFw0xMzAyMDcxMDMwMzNaFw0zMzAyMDIxMDMwMzNaMDoxGzAZBgNVBAoTEk9wZW5ESiBDZXJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark 0aWZpY2F0ZTEbMBkGA1UEAxMSb3BlbmFtLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNAD
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark CBiQKBgQCfGLAiUOz4sC8CM9T5DPTk9V9ErNC8N59XwBt1aN7UjhQl4/JZZsetubtUrZBLS9cRrnYdZ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cpFgLQNEmXifS+PdZ0DJkaLNFmd8ZX0spX8++fb4SkkggkmNRmi1fccDQ/DHMlwl7kk884lXummrzcD
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark GbZ7p4vnY7y7GmD1vZSP+wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJciUzUP8T8A9VV6dQB0SYCNG1o
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark 7IvpE7jGVZh6KvM0m5sBNX3wPbTVJQNij3TDm8nx6yhi6DUkpiAZfz/OBL5k+WSw80TjpIZ2+klhP1s
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: ds-cfg-instance-key
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: cn=opendj.example.com:4444,cn=Servers,cn=admin data
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkreplace: ds-cfg-key-id
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C
08248b5c5b494aff8d1922e8e0b5777796d7450dmark</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark     </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <para>Update the administrative data, causing OpenDJ to create a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     copy of the new <literal>ads-certificate</literal> with its MD5 signature
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     as the alias in the <filename>ads-truststore</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark     <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename /path/to/update-server-cert.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=instance keys,cn=admin data
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation successful for DN ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=instance keys,cn=admin data
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for cn=opendj.example.com:4444,cn=Servers,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=admin data
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN cn=opendj.example.com:4444,cn=Servers,
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=admin data</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark     </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Force OpenDJ to reopen replication connections using the new key
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   pair.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Stop replication temporarily and then start it again as described
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   in the <citetitle>Administration Guide</citetitle> section on <link
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    xlink:show="new"
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    xlink:href="admin-guide#configure-repl"
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    xlink:role="http://docbook.org/xlink/role/olink"
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   ><citetitle>Configuring Replication</citetitle></link>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-synchronization-provider-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --provider-name "Multimaster Synchronization" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:false \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-synchronization-provider-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --provider-name "Multimaster Synchronization" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</chapter>