Directory Server Documentation Index
Command-Line Tool Reference Home

replace-certificate

Description
Examples
Subcommands
Arguments

Description

Replace the listener certificate for this Ping Identity Directory Server server instance.

Examples

Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate contained in the 'new-listener-certificate-keystore.jks' key store under the alias 'new-listener-cert': 
replace-certificate replace-listener-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --source-key-store-file new-listener-certificate-keystore.jks \
     --source-key-store-password-file new-listener-certificate-keystore.pin \
     --source-certificate-alias new-listener-cert --key-manager-provider JKS \
     --trust-manager-provider JKS --target-certificate-alias server-cert


Replace the server's current inter-server certificate with the certificate contained in the 'new-inter-server-certificate-keystore.jks' key store under the alias 'new-inter-server-cert': 
replace-certificate replace-inter-server-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --source-key-store-file new-inter-server-certificate-keystore.jks \
     --source-key-store-password-file new-inter-server-certificate-keystore.pin \
     --source-certificate-alias new-inter-server-cert


Purges any retired listener certificates for the local instance from the topology registry: 
replace-certificate purge-retired-listener-certificates \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt


Purges any retired inter-server certificates for the local instance from the topology registry: 
replace-certificate purge-retired-inter-server-certificates \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

Subcommands

purge-remote-retired-inter-server-certificates
purge-remote-retired-listener-certificates
purge-retired-inter-server-certificates
purge-retired-listener-certificates
replace-inter-server-certificate
replace-listener-certificate
replace-remote-inter-server-certificate
replace-remote-listener-certificate

purge-remote-retired-inter-server-certificates

Purge any retired inter-server certificates from the topology registry in a remote server instance


purge-remote-retired-inter-server-certificates Examples

Purge any retired inter-server certificates from the specified server's topology registry: 
replace-certificate purge-remote-retired-inter-server-certificates \
     --hostname ds.example.com --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

purge-remote-retired-listener-certificates

Purge any retired listener certificates from the topology registry in a remote server instance


purge-remote-retired-listener-certificates Examples

Purge any retired listener certificates from the specified server's topology registry: 
replace-certificate purge-remote-retired-listener-certificates \
     --hostname ds.example.com --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

purge-retired-inter-server-certificates

Purge any retired inter-server certificates for the local instance from the topology registry


purge-retired-inter-server-certificates Examples

Purges any retired inter-server certificates for the local instance from the topology registry: 
replace-certificate purge-retired-inter-server-certificates \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

purge-retired-listener-certificates

Purge any retired listener certificates for the local instance from the topology registry


purge-retired-listener-certificates Examples

Purges any retired listener certificates for the local instance from the topology registry: 
replace-certificate purge-retired-listener-certificates \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

replace-inter-server-certificate

Replace the inter-server certificate that the server uses to authenticate itself to other instances in the topology


replace-inter-server-certificate Examples

Replace the server's current inter-server certificate with the certificate contained in the 'new-inter-server-certificate-keystore.jks' key store under the alias 'new-inter-server-cert': 
replace-certificate replace-inter-server-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --source-key-store-file new-inter-server-certificate-keystore.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file new-inter-server-certificate-keystore.pin \
     --source-certificate-alias new-inter-server-cert

replace-inter-server-certificate Arguments

--source-key-store-file {path}

Description The path to the key store file that holds the new inter-server certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. The new inter-server certificate must use an RSA key with a key size of at least 2048 bits. Each instance in the topology must have a unique inter-server certificate. We recommend that this certificate be self-signed and have a long validity window to ensure that it does not need to be replaced frequently
Required Yes
Multi-Valued No

--source-key-store-type {JKS|PKCS12|BCFKS}

Description The key store type for the source key store. If specified, it must be one of JKS, PKCS12, or BCFKS. If it is not specified, the key store type will be automatically determined
Required No
Multi-Valued No

--source-key-store-password {password}

Description The password needed to interact with the source key store. Exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-key-store-password-file {path}

Description The path to a file containing the password needed to interact with the source key store. If provided, this file must exist, and it must contain exactly one line with the password to use. The file may have optionally been encrypted with the encrypt-file tool using a key from the server's encryption settings database. Exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-certificate-alias {alias}

Description The alias, or nickname, of the source key store entry that contains the complete certificate chain and private key for the new inter-server certificate. This must be provided if the source key store contains more than one private key entry
Required No
Multi-Valued No

--source-private-key-password {password}

Description The password used to protect the source certificate's private key. This may be omitted if the private key password matches the key store password (which is often the case). If the private key password differs from the key store password, then exactly one of the --source-private-key-password and --source-private-key-password-file arguments must be provided
Required No
Multi-Valued No

--source-private-key-password-file {path}

Description The path to a file containing the password used to protect the source certificate's private key. This may be omitted if the private key password matches the key store password (which is often the case). If provided, this file must exist, and it must contain exactly one line with the password to use. The file may have optionally been encrypted with the encrypt-file tool using a key from the server's encryption settings database. If the private key password differs from the key store password, then exactly one of the --source-private-key-password and --source-private-key-password-file arguments must be provided
Required No
Multi-Valued No

--skip-certificate-validation

Description Skip some of the validation that the tool normally performs for the new inter-server certificate chain, including verifying that the chain is complete and that all of the certificates are within their validity window

replace-listener-certificate

Replace a listener certificate that the server uses for TLS communication


replace-listener-certificate Examples

Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate contained in the 'new-listener-certificate-keystore.jks' key store under the alias 'new-listener-cert': 
replace-certificate replace-listener-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --source-key-store-file new-listener-certificate-keystore.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file new-listener-certificate-keystore.pin \
     --source-certificate-alias new-listener-cert --key-manager-provider JKS \
     --trust-manager-provider JKS --target-certificate-alias server-cert

replace-listener-certificate Arguments

--source-key-store-file {path}

Description The path to the key store file that holds the new listener certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain
Required Yes
Multi-Valued No

--source-key-store-type {JKS|PKCS12|BCFKS}

Description The key store type for the source key store. If specified, it must be one of JKS, PKCS12, or BCFKS. If it is not specified, the key store type will be automatically determined
Required No
Multi-Valued No

--source-key-store-password {password}

Description The password needed to interact with the source key store. Exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-key-store-password-file {path}

Description The path to a file containing the password needed to interact with the source key store. If provided, this file must exist, and it must contain exactly one line with the password to use. The file may have optionally been encrypted with the encrypt-file tool using a key from the server's encryption settings database. Exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-certificate-alias {alias}

Description The alias, or nickname, of the source key store entry that contains the complete certificate chain and private key for the new listener certificate. This must be provided if the source key store contains more than one private key entry
Required No
Multi-Valued No

--source-private-key-password {password}

Description The password used to protect the source certificate's private key. This may be omitted if the private key password matches the key store password (which is often the case). If the private key password differs from the key store password, then exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-private-key-password-file {path}

Description The path to a file containing the password used to protect the source certificate's private key. This may be omitted if the private key password matches the key store password (which is often the case). If provided, this file must exist, and it must contain exactly one line with the password to use. The file may have optionally been encrypted with the encrypt-file tool using a key from the server's encryption settings database. If the private key password differs from the key store password, then exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--skip-certificate-validation

Description Skip some of the validation that the tool normally performs for the new listener certificate chain, including verifying that the chain is complete and that all of the certificates are within their validity window

--key-manager-provider {name}

Description The name of the key manager provider that is defined in the server configuration and specifies the settings for the key store to update with the new listener certificate. It must be a file-based key manager provider, and it must be enabled. Any LDAP or JMX connection handlers configured to use this key manager provider will automatically start using the new certificate immediately. Any HTTP connection handlers configured to use this key manager provider will start using the new certificate after the server is restarted or the reload-http-connection-handler-certificates tool is invoked. If this argument is not provided, a default value of 'JKS' will be assumed
Default Value JKS
Required Yes
Multi-Valued No

--trust-manager-provider {name}

Description The name of the trust manager provider that is defined in the server configuration and specifies the settings for the trust store to be updated with information needed to trust the new source certificate. This argument must not be used in conjunction with the --use-jvm-default-trust-manager-provider argument. If this argument is provided, then the value must specify the name of an enabled file-based trust manager provider. Any connection handlers configured to use the specified key manager provider will also be updated if necessary to use this new trust manager provider. If neither the --trust-manager-provider nor the --use-jvm-default-trust-manager-provider argument is provided, the tool will assume that the trust manager provider uses the same name as the key manager provider
Required No
Multi-Valued No

--use-jvm-default-trust-manager-provider

Description Indicates that the connection handlers configured to use the target key manager provider should be updated with a trust manager provider that will automatically trust any certificate signed by any certificate in the JVM's default set of trusted issuers. This argument must not be used in conjunction with the --trust-manager-provider argument. It is only recommended for use if the new listener certificate, and any certificates that clients may present to the server, are signed with one of those trusted issuers

--target-certificate-alias {alias}

Description The alias, or nickname, that will be used to for the new listener certificate in the target key manager provider's key store. If the key store already contains an entry with this alias, the existing entry will be renamed before the new entry is written. If this argument is not provided, a default value of 'server-cert' will be assumed
Default Value server-cert
Required Yes
Multi-Valued No

--reload-http-connection-handler-certificates

Description Request that the server reload any certificates associated with HTTP connection handlers configured with support for HTTPS. Note that this may prevent clients from resuming TLS sessions created before the reload

replace-remote-inter-server-certificate

Replace the inter-server certificate in a remote server instance. The new inter-server certificate chain may be obtained from a key store file already contained on the server filesystem, from a key store file that exists on the client filesystem, or from files containing the PEM or DER representations of the certificate chain and private key on the client filesystem


replace-remote-inter-server-certificate Examples

Update any connection handlers that use the 'JKS' key manager provider to use a new inter-server certificate contained in the '/absolute/path/to/new-keystore-on-server.jks' key store file that already exists on the server filesystem: 
replace-certificate replace-remote-inter-server-certificate \
     --hostname ds.example.com --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --server-side-source-key-store-file /absolute/path/to/new-keystore-on-server.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file new-listener-certificate-keystore.pin \
     --source-certificate-alias new-listener-cert


Update any connection handlers that use the 'JKS' key manager provider to use a new inter-server certificate contained in the 'new-keystore-on-client.jks' key store file that exists on the client filesystem: 
replace-certificate replace-remote-inter-server-certificate \
     --hostname ds.example.com --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --client-side-source-key-store-file new-keystore-on-client.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file new-listener-certificate-keystore.pin \
     --source-certificate-alias new-listener-cert


Update any connection handlers that use the 'JKS' key manager provider to use a new inter-server certificate whose certificate chain is read from files new-inter-server-cert.pem, intermediate-ca-cert.pem, and root-ca-cert.pem, and whose private key is read from file new-inter-server-key.pem (all of which are on the client filesystem): 
replace-certificate replace-remote-inter-server-certificate \
     --hostname ds.example.com --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --client-side-source-certificate-file new-inter-server-cert.pem \
     --client-side-source-certificate-file intermediate-ca-cert.pem \
     --client-side-source-certificate-file root-ca-cert.pem \
     --client-side-source-private-key-file new-inter-server-key.pem

replace-remote-inter-server-certificate Arguments

--server-side-source-key-store-file {path}

Description The path on the server filesystem to the key store file that holds the new inter-server certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. This argument cannot be used in conjunction with the client-side-source-key-store-file or client-side-source-certificate-file arguments
Required No
Multi-Valued No

--client-side-source-key-store-file {path}

Description The path on the client filesystem to the key store file that holds the new inter-server certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. This argument cannot be used in conjunction with the server-side-source-key-store-file or client-side-source-certificate-file arguments
Required No
Multi-Valued No

--client-side-source-certificate-file {path}

Description The path on the client filesystem to a file that holds one or more certificates (in PEM or DER format) for the new inter-server certificate chain. This argument may be provided multiple times if the source certificate chain is split into multiple files. The certificates must be ordered so that the new inter-server certificate is the first certificate in the chain and each subsequent certificate is the issuer for the previous certificate. This argument cannot be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments
Required No
Multi-Valued Yes

--client-side-source-private-key-file {path}

Description The path on the client filesystem to a file that holds the private key (in PEM or DER format) for the new inter-server certificate. This argument may only be provided if the client-side-source-certificate-file argument is also given, and if it is not provided, then it will be assumed that the new inter-server certificate will use the same private key as the current inter-server certificate
Required No
Multi-Valued No

--source-key-store-type {JKS|PKCS12|BCFKS}

Description The key store type for the source key store. If specified, it must be one of JKS, PKCS12, or BCFKS. If it is not specified, the key store type will be automatically determined
Required No
Multi-Valued No

--source-key-store-password {password}

Description The password needed to interact with the source key store. This argument can only be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments, but if one of those arguments is provided, then exactly one of the source-key-store-password or source-key-store-password-file arguments must also be given
Required No
Multi-Valued No

--source-key-store-password-file {path}

Description The path to a file on the client filesystem that contains the password needed to interact with the source key store. If provided, this file must exist, and it must contain exactly one line with the password to use. This argument can only be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments, but if one of those arguments is provided, then exactly one of the source-key-store-password or source-key-store-password-file arguments must also be given
Required No
Multi-Valued No

--source-certificate-alias {alias}

Description The alias, or nickname, of the source key store entry that contains the complete certificate chain and private key for the new inter-server certificate. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it must be provided if the source key store contains more than one private key entry
Required No
Multi-Valued No

--source-private-key-password {password}

Description The password used to protect the source certificate's private key. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it may be omitted if the private key password matches the key store password (which is often the case). If the private key password differs from the key store password, then exactly one of the source-key-store-password and source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-private-key-password-file {path}

Description The path to a file on the client filesystem that contains the password used to protect the source certificate's private key. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it may be omitted if the private key password matches the key store password (which is often the case). If provided, this file must exist, and it must contain exactly one line with the password to use. If the private key password differs from the key store password, then exactly one of the source-key-store-password and source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--skip-certificate-validation

Description Skip some of the validation that the tool normally performs for the new inter-server certificate chain, including verifying that the chain is complete and that all of the certificates are within their validity window

replace-remote-listener-certificate

Replace a TLS listener certificate in a remote server instance. The new listener certificate chain may be obtained from a key store file already contained on the server filesystem, from a key store file that exists on the client filesystem, or from files containing the PEM or DER representations of the certificate chain and private key on the client filesystem


replace-remote-listener-certificate Examples

Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate contained in the '/absolute/path/to/new-keystore-on-server.jks' key store file that already exists on the server filesystem: 
replace-certificate replace-remote-listener-certificate \
     --hostname ds.example.com --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --server-side-source-key-store-file /absolute/path/to/new-keystore-on-server.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file new-listener-certificate-keystore.pin \
     --source-certificate-alias new-listener-cert --key-manager-provider JKS \
     --trust-manager-provider JKS --target-certificate-alias server-cert


Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate contained in the 'new-keystore-on-client.jks' key store file that exists on the client filesystem: 
replace-certificate replace-remote-listener-certificate \
     --hostname ds.example.com --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --client-side-source-key-store-file new-keystore-on-client.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file new-listener-certificate-keystore.pin \
     --source-certificate-alias new-listener-cert --key-manager-provider JKS \
     --trust-manager-provider JKS --target-certificate-alias server-cert


Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate whose certificate chain is read from files new-listener-cert.pem, intermediate-ca-cert.pem, and root-ca-cert.pem, and whose private key is read from file new-listener-key.pem (all of which are on the client filesystem): 
replace-certificate replace-remote-listener-certificate \
     --hostname ds.example.com --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --client-side-source-certificate-file new-listener-cert.pem \
     --client-side-source-certificate-file intermediate-ca-cert.pem \
     --client-side-source-certificate-file root-ca-cert.pem \
     --client-side-source-private-key-file new-listener-key.pem \
     --key-manager-provider JKS --trust-manager-provider JKS \
     --target-certificate-alias server-cert

replace-remote-listener-certificate Arguments

--server-side-source-key-store-file {path}

Description The absolute path on the server filesystem to the key store file that holds the new listener certificate. It must exist, it must be specified as an absolute path, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. This argument cannot be used in conjunction with the client-side-source-key-store-file or client-side-source-certificate-file arguments
Required No
Multi-Valued No

--client-side-source-key-store-file {path}

Description The path on the client filesystem to the key store file that holds the new listener certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. This argument cannot be used in conjunction with the server-side-source-key-store-file or client-side-source-certificate-file arguments
Required No
Multi-Valued No

--client-side-source-certificate-file {path}

Description The path on the client filesystem to a file that holds one or more certificates (in PEM or DER format) for the new listener certificate chain. This argument may be provided multiple times if the source certificate chain is split into multiple files. The certificates must be ordered so that the new listener certificate is the first certificate in the chain and each subsequent certificate is the issuer for the previous certificate. This argument cannot be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments
Required No
Multi-Valued Yes

--client-side-source-private-key-file {path}

Description The path on the client filesystem to a file that holds the private key (in PEM or DER format) for the new listener certificate. This argument may only be provided if the client-side-source-certificate-file argument is also given, and if it is not provided, then it will be assumed that the new listener certificate will use the same private key as the current listener certificate
Required No
Multi-Valued No

--source-key-store-type {JKS|PKCS12|BCFKS}

Description The key store type for the source key store. If specified, it must be one of JKS, PKCS12, or BCFKS. If it is not specified, the key store type will be automatically determined
Required No
Multi-Valued No

--source-key-store-password {password}

Description The password needed to interact with the source key store. This argument can only be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments, but if one of those arguments is provided, then exactly one of the source-key-store-password or source-key-store-password-file arguments must also be given
Required No
Multi-Valued No

--source-key-store-password-file {path}

Description The path to a file on the client filesystem that contains the password needed to interact with the source key store. If provided, this file must exist, and it must contain exactly one line with the password to use. This argument can only be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments, but if one of those arguments is provided, then exactly one of the source-key-store-password or source-key-store-password-file arguments must also be given
Required No
Multi-Valued No

--source-certificate-alias {alias}

Description The alias, or nickname, of the source key store entry that contains the complete certificate chain and private key for the new listener certificate. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it must be provided if the source key store contains more than one private key entry
Required No
Multi-Valued No

--source-private-key-password {password}

Description The password used to protect the source certificate's private key. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it may be omitted if the private key password matches the key store password (which is often the case). If the private key password differs from the key store password, then exactly one of the source-key-store-password and source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-private-key-password-file {path}

Description The path to a file on the client filesystem that contains the password used to protect the source certificate's private key. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it may be omitted if the private key password matches the key store password (which is often the case). If provided, this file must exist, and it must contain exactly one line with the password to use. If the private key password differs from the key store password, then exactly one of the source-key-store-password and source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--skip-certificate-validation

Description Skip some of the validation that the tool normally performs for the new listener certificate chain, including verifying that the chain is complete and that all of the certificates are within their validity window

--key-manager-provider {name}

Description The name of the key manager provider that is defined in the server configuration and specifies the settings for the key store to update with the new listener certificate. It must be a file-based key manager provider, and it must be enabled. Any LDAP or JMX connection handlers configured to use this key manager provider will automatically start using the new certificate immediately. Any HTTP connection handlers configured to use this key manager provider will start using the new certificate after the server is restarted or the reload-http-connection-handler-certificates tool is invoked. If this argument is not provided, a default value of 'JKS' will be assumed
Default Value JKS
Required Yes
Multi-Valued No

--trust-manager-provider {name}

Description The name of the trust manager provider that is defined in the server configuration and specifies the settings for the trust store to be updated with information needed to trust the new source certificate. This argument must not be used in conjunction with the --use-jvm-default-trust-manager-provider argument. If this argument is provided, then the value must specify the name of an enabled file-based trust manager provider. Any connection handlers configured to use the specified key manager provider will also be updated if necessary to use this new trust manager provider. If neither the trust-manager-provider nor the use-jvm-default-trust-manager-provider argument is provided, the tool will assume that the trust manager provider uses the same name as the key manager provider
Required No
Multi-Valued No

--use-jvm-default-trust-manager-provider

Description Indicates that the connection handlers configured to use the target key manager provider should be updated with a trust manager provider that will automatically trust any certificate signed by any certificate in the JVM's default set of trusted issuers. This argument must not be used in conjunction with the --trust-manager-provider argument. It is only recommended for use if the new listener certificate, and any certificates that clients may present to the server, are signed with one of those trusted issuers

--target-certificate-alias {alias}

Description The alias, or nickname, that will be used to for the new listener certificate in the target key manager provider's key store. If the key store already contains an entry with this alias, the existing entry will be renamed before the new entry is written. If this argument is not provided, a default value of 'server-cert' will be assumed
Default Value server-cert
Required Yes
Multi-Valued No

--reload-http-connection-handler-certificates

Description Request that the server reload any certificates associated with HTTP connection handlers configured with support for HTTPS. Note that this may prevent clients from resuming TLS sessions created before the reload

Arguments

-V
--version

Description Display Directory Server version information

-H
--help

Description Display general usage information

--help-debug

Description Display help for using debug options
Advanced Yes

-h {host}
--hostname {host}

Description The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used.
Default Value localhost
Required Yes
Multi-Valued No

-p {port}
--port {port}

Description The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
Default Value 389
Required Yes
Multi-Valued No

-D {dn}
--bindDN {dn}

Description The DN to use to bind to the directory server when performing simple authentication.
Required No
Multi-Valued No

-w {password}
--bindPassword {password}

Description The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
Required No
Multi-Valued No

-j {path}
--bindPasswordFile {path}

Description The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
Required No
Multi-Valued No

--promptForBindPassword

Description Indicates that the tool should interactively prompt the user for the bind password.

-Z
--useSSL

Description Use SSL when communicating with the directory server.

-q
--useStartTLS

Description Use StartTLS when communicating with the directory server.

--defaultTrust

Description Use the JVM's default trust store, the server's default trust store, the server's topology registry, and optionally an additional trust store specified using the --trustStorePath argument to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it.

-X
--trustAll

Description Trust any certificate presented by the directory server.

-K {path}
--keyStorePath {path}

Description The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
Required No
Multi-Valued No

-W {password}
--keyStorePassword {password}

Description The password to use to access the key store contents.
Required No
Multi-Valued No

-u {path}
--keyStorePasswordFile {path}

Description The path to the file containing the password to use to access the key store contents.
Required No
Multi-Valued No

--promptForKeyStorePassword

Description Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.

--keyStoreFormat {format}

Description The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
Required No
Multi-Valued No

-P {path}
--trustStorePath {path}

Description The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
Required No
Multi-Valued No

-T {password}
--trustStorePassword {password}

Description The password to use to access the trust store contents.
Required No
Multi-Valued No

-U {path}
--trustStorePasswordFile {path}

Description The path to the file containing the password to use to access the trust store contents.
Required No
Multi-Valued No

--promptForTrustStorePassword

Description Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.

--trustStoreFormat {format}

Description The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
Required No
Multi-Valued No

-N {nickname}
--certNickname {nickname}

Description The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
Required No
Multi-Valued No

--enableSSLDebugging

Description Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the 'javax.net.debug' property to 'all'.

-o {name=value}
--saslOption {name=value}

Description A name-value pair providing information to use when performing SASL authentication.
Required No
Multi-Valued Yes

--useSASLExternal

Description Use the SASL EXTERNAL mechanism to authenticate.

--helpSASL

Description Provide information about the supported SASL mechanisms, including the properties available for use with each.

--interactive

Description Launch the tool in interactive mode.

--helpSubcommands

Description Display the names and descriptions of the supported subcommands.

--propertiesFilePath {path}

Description The path to a properties file used to specify default values for arguments not supplied on the command line.
Required No
Multi-Valued No

--generatePropertiesFile {path}

Description Write an empty properties file that may be used to specify default values for arguments.
Required No
Multi-Valued No

--noPropertiesFile

Description Do not obtain any argument values from a properties file.

--suppressPropertiesFileComment

Description Suppress output listing the arguments obtained from a properties file.