
Description Examples Subcommands Arguments


Replace the listener certificate for this Ping Identity Directory Server server instance.


Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate contained in the 'new-listener-certificate-keystore.jks' key store under the alias 'new-listener-cert':

replace-certificate replace-listener-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --source-key-store-file new-listener-certificate-keystore.jks \
     --source-key-store-password-file \
     --source-certificate-alias new-listener-cert --key-manager-provider JKS \
     --trust-manager-provider JKS --target-certificate-alias server-cert

Replace the server's current inter-server certificate with the certificate contained in the 'new-inter-server-certificate-keystore.jks' key store under the alias 'new-inter-server-cert':

replace-certificate replace-inter-server-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --source-key-store-file new-inter-server-certificate-keystore.jks \
     --source-key-store-password-file \
     --source-certificate-alias new-inter-server-cert

Purges any retired listener certificates for the local instance from the topology registry:

replace-certificate purge-retired-listener-certificates \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

Purges any retired inter-server certificates for the local instance from the topology registry:

replace-certificate purge-retired-inter-server-certificates \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt


add-topology-registry-listener-certificate list-topology-registry-inter-server-certificates list-topology-registry-listener-certificates purge-remote-retired-inter-server-certificates purge-remote-retired-listener-certificates purge-retired-inter-server-certificates purge-retired-listener-certificates replace-inter-server-certificate replace-listener-certificate replace-remote-inter-server-certificate replace-remote-listener-certificate


Add one or more certificates to the set of listener certificates for a server instance in the topology registry. Note that this only updates the topology registry and does not alter the contents of any key store

add-topology-registry-listener-certificate Examples

Add the certificate contained in the specified file to the set of listener certificates for the local instance in the topology registry:

replace-certificate add-topology-registry-listener-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --certificate-file cert-file.pem

add-topology-registry-listener-certificate Arguments

--certificate-file {path}

Description The path to a file containing the PEM or DER representations of one or more X.509 listener certificates to add to the topology registry
Required Yes
Multi-Valued No

--instance-name {name}

Description The instance name for the server instance to which the new certificate should be added. If this is not provided, the local instance will be selected
Required No
Multi-Valued No


Retrieve a list of the inter-server certificates associated with a server instance in the topology registry

list-topology-registry-inter-server-certificates Examples

Retrieve a list of the topology registry inter-server certificates for the local instance:

replace-certificate list-topology-registry-inter-server-certificates

Retrieve a list of the topology registry inter-server certificates for the specified server instance:

replace-certificate list-topology-registry-inter-server-certificates \

list-topology-registry-inter-server-certificates Arguments

--instance-name {name}

Description The instance name for the server instance whose inter-server certificates should be listed. If this is not provided, the local instance will be selected
Required No
Multi-Valued No


Retrieve a list of the listener certificates associated with a server instance in the topology registry

list-topology-registry-listener-certificates Examples

Retrieve a list of the topology registry listener certificates for the local instance:

replace-certificate list-topology-registry-listener-certificates

Retrieve a list of the topology registry listener certificates for the specified server instance:

replace-certificate list-topology-registry-listener-certificates \

list-topology-registry-listener-certificates Arguments

--instance-name {name}

Description The instance name for the server instance whose listener certificates should be listed. If this is not provided, the local instance will be selected
Required No
Multi-Valued No


Purge any retired inter-server certificates from the topology registry in a remote server instance

purge-remote-retired-inter-server-certificates Examples

Purge any retired inter-server certificates from the specified server's topology registry:

replace-certificate purge-remote-retired-inter-server-certificates \
     --hostname --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

purge-remote-retired-inter-server-certificates Arguments


Description Refresh any cached certificate monitor data immediately after purging retired inter-server certificates


Purge any retired listener certificates from the topology registry in a remote server instance

purge-remote-retired-listener-certificates Examples

Purge any retired listener certificates from the specified server's topology registry:

replace-certificate purge-remote-retired-listener-certificates \
     --hostname --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

purge-remote-retired-listener-certificates Arguments


Description Refresh any cached certificate monitor data immediately after purging retired listener certificates


Purge any retired inter-server certificates for the local instance from the topology registry

purge-retired-inter-server-certificates Examples

Purges any retired inter-server certificates for the local instance from the topology registry:

replace-certificate purge-retired-inter-server-certificates \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

purge-retired-inter-server-certificates Arguments


Description Refresh any cached certificate monitor data immediately after purging retired inter-server certificates


Purge any retired listener certificates for the local instance from the topology registry

purge-retired-listener-certificates Examples

Purges any retired listener certificates for the local instance from the topology registry:

replace-certificate purge-retired-listener-certificates \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt

purge-retired-listener-certificates Arguments


Description Refresh any cached certificate monitor data immediately after purging retired listener certificates


Replace the inter-server certificate that the server uses to authenticate itself to other instances in the topology

replace-inter-server-certificate Examples

Replace the server's current inter-server certificate with the certificate contained in the 'new-inter-server-certificate-keystore.jks' key store under the alias 'new-inter-server-cert':

replace-certificate replace-inter-server-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --source-key-store-file new-inter-server-certificate-keystore.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file \
     --source-certificate-alias new-inter-server-cert

replace-inter-server-certificate Arguments

--source-key-store-file {path}

Description The path to the key store file that holds the new inter-server certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. The new inter-server certificate must use an RSA key with a key size between 2048 bits and 3072 bits. Each instance in the topology must have a unique inter-server certificate. We recommend that this certificate be self-signed and have a long validity window to ensure that it does not need to be replaced frequently
Required No
Multi-Valued No

--source-key-store-type {JKS|PKCS12|BCFKS}

Description The key store type for the source key store. If specified, it must be one of JKS, PKCS12, or BCFKS. If it is not specified, the key store type will be automatically determined
Required No
Multi-Valued No

--source-key-store-password {password}

Description The password needed to interact with the source key store. Exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-key-store-password-file {path}

Description The path to a file containing the password needed to interact with the source key store. If provided, this file must exist, and it must contain exactly one line with the password to use. The file may have optionally been encrypted with the encrypt-file tool using a key from the server's encryption settings database. Exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-certificate-file {path}

Description The path to a file that holds the PEM or DER representations of one or more certificates in the source certificate chain. Exactly one of the --source-key-store-file and --source-certificate-file arguments must be used. If this argument is provided, then it may be given multiple times if there are multiple certificates in the source chain and they are spread across multiple files (and in that case, certificates must be ordered with the end-entity certificate first and each subsequent certificate being the issuer for the previous)
Required No
Multi-Valued Yes

--source-private-key-file {path}

Description The path to a file that holds the PEM or DER representation of the private key for the source certificate. This argument must be provided if the --source-certificate-file argument is used
Required No
Multi-Valued No

--source-certificate-alias {alias}

Description The alias, or nickname, of the source key store entry that contains the complete certificate chain and private key for the new inter-server certificate. This must be provided if the source key store contains more than one private key entry
Required No
Multi-Valued No

--source-private-key-password {password}

Description The password used to protect the source certificate's private key. This may be omitted if the private key password matches the key store password (which is often the case). If the private key password differs from the key store password, then exactly one of the --source-private-key-password and --source-private-key-password-file arguments must be provided
Required No
Multi-Valued No

--source-private-key-password-file {path}

Description The path to a file containing the password used to protect the source certificate's private key. This may be omitted if the private key password matches the key store password (which is often the case). If provided, this file must exist, and it must contain exactly one line with the password to use. The file may have optionally been encrypted with the encrypt-file tool using a key from the server's encryption settings database. If the private key password differs from the key store password, then exactly one of the --source-private-key-password and --source-private-key-password-file arguments must be provided
Required No
Multi-Valued No


Description Skip some of the validation that the tool normally performs for the new inter-server certificate chain, including verifying that the chain is complete and that all of the certificates are within their validity window


Description Refresh any cached certificate monitor data immediately after updating the inter-server certificate


Replace a listener certificate that the server uses for TLS communication

replace-listener-certificate Examples

Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate contained in the 'new-listener-certificate-keystore.jks' key store under the alias 'new-listener-cert':

replace-certificate replace-listener-certificate \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --source-key-store-file new-listener-certificate-keystore.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file \
     --source-certificate-alias new-listener-cert --key-manager-provider JKS \
     --trust-manager-provider JKS --target-certificate-alias server-cert

replace-listener-certificate Arguments

--source-key-store-file {path}

Description The path to the key store file that holds the new listener certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain
Required No
Multi-Valued No

--source-key-store-type {JKS|PKCS12|BCFKS}

Description The key store type for the source key store. If specified, it must be one of JKS, PKCS12, or BCFKS. If it is not specified, the key store type will be automatically determined
Required No
Multi-Valued No

--source-key-store-password {password}

Description The password needed to interact with the source key store. Exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-key-store-password-file {path}

Description The path to a file containing the password needed to interact with the source key store. If provided, this file must exist, and it must contain exactly one line with the password to use. The file may have optionally been encrypted with the encrypt-file tool using a key from the server's encryption settings database. Exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-certificate-file {path}

Description The path to a file that holds the PEM or DER representations of one or more certificates in the source certificate chain. Exactly one of the --source-key-store-file and --source-certificate-file arguments must be used. If this argument is provided, then it may be given multiple times if there are multiple certificates in the source chain and they are spread across multiple files (and in that case, certificates must be ordered with the end-entity certificate first and each subsequent certificate being the issuer for the previous)
Required No
Multi-Valued Yes

--source-private-key-file {path}

Description The path to a file that holds the PEM or DER representation of the private key for the source certificate. This argument must be provided if the --source-certificate-file argument is used
Required No
Multi-Valued No

--source-certificate-alias {alias}

Description The alias, or nickname, of the source key store entry that contains the complete certificate chain and private key for the new listener certificate. This must be provided if the source key store contains more than one private key entry
Required No
Multi-Valued No

--source-private-key-password {password}

Description The password used to protect the source certificate's private key. This may be omitted if the private key password matches the key store password (which is often the case). If the private key password differs from the key store password, then exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-private-key-password-file {path}

Description The path to a file containing the password used to protect the source certificate's private key. This may be omitted if the private key password matches the key store password (which is often the case). If provided, this file must exist, and it must contain exactly one line with the password to use. The file may have optionally been encrypted with the encrypt-file tool using a key from the server's encryption settings database. If the private key password differs from the key store password, then exactly one of the --source-key-store-password and --source-key-store-password-file arguments must be provided
Required No
Multi-Valued No


Description Skip some of the validation that the tool normally performs for the new listener certificate chain, including verifying that the chain is complete and that all of the certificates are within their validity window

--key-manager-provider {name}

Description The name of the key manager provider that is defined in the server configuration and specifies the settings for the key store to update with the new listener certificate. It must be a file-based key manager provider, and it must be enabled. Any LDAP or JMX connection handlers configured to use this key manager provider will automatically start using the new certificate immediately. Any HTTP connection handlers configured to use this key manager provider will start using the new certificate after the server is restarted or the reload-http-connection-handler-certificates tool is invoked. If this argument is not provided, a default value of 'JKS' will be assumed
Default Value JKS
Required Yes
Multi-Valued No

--trust-manager-provider {name}

Description The name of the trust manager provider that is defined in the server configuration and specifies the settings for the trust store to be updated with information needed to trust the new source certificate. This argument must not be used in conjunction with the --use-jvm-default-trust-manager-provider argument. If this argument is provided, then the value must specify the name of an enabled file-based trust manager provider. Any connection handlers configured to use the specified key manager provider will also be updated if necessary to use this new trust manager provider. If neither the --trust-manager-provider nor the --use-jvm-default-trust-manager-provider argument is provided, the tool will assume that the trust manager provider uses the same name as the key manager provider
Required No
Multi-Valued No


Description Indicates that the connection handlers configured to use the target key manager provider should be updated with a trust manager provider that will automatically trust any certificate signed by any certificate in the JVM's default set of trusted issuers. This argument must not be used in conjunction with the --trust-manager-provider argument. It is only recommended for use if the new listener certificate, and any certificates that clients may present to the server, are signed with one of those trusted issuers

--target-certificate-alias {alias}

Description The alias, or nickname, that will be used to for the new listener certificate in the target key manager provider's key store. If the key store already contains an entry with this alias, the existing entry will be renamed before the new entry is written. If this argument is not provided, a default value of 'server-cert' will be assumed
Default Value server-cert
Required Yes
Multi-Valued No


Description Ignore the validity window when deciding whether to trust the current listener certificate chain in the course of establishing a secure connection to the server. This argument may be needed to replace the listener certificate if it has already expired

--trust-store-update-type {none|listener-only|issuers-only|listener-and-issuers}

Description The type of update to make to the trust store for the new listener certificate. Allowed values include 'none' (indicating that the trust store should not be updated), 'listener-only' (indicating that the trust store should be updated with only the listener certificate but none of its issuers), 'issuers-only' (indicating that the trust store should be updated with only the issuers for the listener certificate but not the listener certificate itself unless it is self-signed), or 'listener-and-issuers' (indicating that the trust store should be updated with the listener certificate and all of its issuers). If this is not specified, a default value of 'listener-and-issuers' will be used
Default Value listener-and-issuers
Required No
Multi-Valued No

--topology-registry-update-type {none|listener-only|issuers-only|listener-and-issuers}

Description The type of update to make to the topology registry for the new listener certificate. Allowed values include 'none' (indicating that the topology registry should not be updated), 'listener-only' (indicating that the topology registry should be updated with only the listener certificate but none of its issuers), 'issuers-only' (indicating that the topology registry should be updated with only the issuers for the listener certificate but not the listener certificate itself unless it is self-signed), or 'listener-and-issuers' (indicating that the topology registry should be updated with the listener certificate and all of its issuers). If this is not specified, a default value of 'listener-only' will be used
Default Value listener-only
Required No
Multi-Valued No


Description Request that the server reload any certificates associated with HTTP connection handlers configured with support for HTTPS. Note that this may prevent clients from resuming TLS sessions created before the reload


Description Refresh any cached certificate monitor data immediately after updating the listener certificate


Replace the inter-server certificate in a remote server instance. The new inter-server certificate chain may be obtained from a key store file already contained on the server filesystem, from a key store file that exists on the client filesystem, or from files containing the PEM or DER representations of the certificate chain and private key on the client filesystem

replace-remote-inter-server-certificate Examples

Update any connection handlers that use the 'JKS' key manager provider to use a new inter-server certificate contained in the '/absolute/path/to/new-keystore-on-server.jks' key store file that already exists on the server filesystem:

replace-certificate replace-remote-inter-server-certificate \
     --hostname --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --server-side-source-key-store-file /absolute/path/to/new-keystore-on-server.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file \
     --source-certificate-alias new-listener-cert

Update any connection handlers that use the 'JKS' key manager provider to use a new inter-server certificate contained in the 'new-keystore-on-client.jks' key store file that exists on the client filesystem:

replace-certificate replace-remote-inter-server-certificate \
     --hostname --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --client-side-source-key-store-file new-keystore-on-client.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file \
     --source-certificate-alias new-listener-cert

Update any connection handlers that use the 'JKS' key manager provider to use a new inter-server certificate whose certificate chain is read from files new-inter-server-cert.pem, intermediate-ca-cert.pem, and root-ca-cert.pem, and whose private key is read from file new-inter-server-key.pem (all of which are on the client filesystem):

replace-certificate replace-remote-inter-server-certificate \
     --hostname --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --client-side-source-certificate-file new-inter-server-cert.pem \
     --client-side-source-certificate-file intermediate-ca-cert.pem \
     --client-side-source-certificate-file root-ca-cert.pem \
     --client-side-source-private-key-file new-inter-server-key.pem

replace-remote-inter-server-certificate Arguments

--server-side-source-key-store-file {path}

Description The path on the server filesystem to the key store file that holds the new inter-server certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. This argument cannot be used in conjunction with the client-side-source-key-store-file or client-side-source-certificate-file arguments
Required No
Multi-Valued No

--client-side-source-key-store-file {path}

Description The path on the client filesystem to the key store file that holds the new inter-server certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. This argument cannot be used in conjunction with the server-side-source-key-store-file or client-side-source-certificate-file arguments
Required No
Multi-Valued No

--client-side-source-certificate-file {path}

Description The path on the client filesystem to a file that holds one or more certificates (in PEM or DER format) for the new inter-server certificate chain. This argument may be provided multiple times if the source certificate chain is split into multiple files. The certificates must be ordered so that the new inter-server certificate is the first certificate in the chain and each subsequent certificate is the issuer for the previous certificate. This argument cannot be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments
Required No
Multi-Valued Yes

--client-side-source-private-key-file {path}

Description The path on the client filesystem to a file that holds the private key (in PEM or DER format) for the new inter-server certificate. This argument may only be provided if the client-side-source-certificate-file argument is also given, and if it is not provided, then it will be assumed that the new inter-server certificate will use the same private key as the current inter-server certificate
Required No
Multi-Valued No

--client-side-source-private-key-encryption-password-file {path}

Description The path on the client filesystem to a file that holds the password used to encrypt the private key for the new inter-server certificate. This argument may only be provided if the client-side-source-private-key-file argument is also given, and if it is not provided, then it will be assumed that the private key is not encrypted
Required No
Multi-Valued No

--source-key-store-type {JKS|PKCS12|BCFKS}

Description The key store type for the source key store. If specified, it must be one of JKS, PKCS12, or BCFKS. If it is not specified, the key store type will be automatically determined
Required No
Multi-Valued No

--source-key-store-password {password}

Description The password needed to interact with the source key store. This argument can only be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments, but if one of those arguments is provided, then exactly one of the source-key-store-password or source-key-store-password-file arguments must also be given
Required No
Multi-Valued No

--source-key-store-password-file {path}

Description The path to a file on the client filesystem that contains the password needed to interact with the source key store. If provided, this file must exist, and it must contain exactly one line with the password to use. This argument can only be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments, but if one of those arguments is provided, then exactly one of the source-key-store-password or source-key-store-password-file arguments must also be given
Required No
Multi-Valued No

--source-certificate-alias {alias}

Description The alias, or nickname, of the source key store entry that contains the complete certificate chain and private key for the new inter-server certificate. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it must be provided if the source key store contains more than one private key entry
Required No
Multi-Valued No

--source-private-key-password {password}

Description The password used to protect the source certificate's private key. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it may be omitted if the private key password matches the key store password (which is often the case). If the private key password differs from the key store password, then exactly one of the source-key-store-password and source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-private-key-password-file {path}

Description The path to a file on the client filesystem that contains the password used to protect the source certificate's private key. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it may be omitted if the private key password matches the key store password (which is often the case). If provided, this file must exist, and it must contain exactly one line with the password to use. If the private key password differs from the key store password, then exactly one of the source-key-store-password and source-key-store-password-file arguments must be provided
Required No
Multi-Valued No


Description Skip some of the validation that the tool normally performs for the new inter-server certificate chain, including verifying that the chain is complete and that all of the certificates are within their validity window


Description Refresh any cached certificate monitor data immediately after updating the inter-server certificate


Replace a TLS listener certificate in a remote server instance. The new listener certificate chain may be obtained from a key store file already contained on the server filesystem, from a key store file that exists on the client filesystem, or from files containing the PEM or DER representations of the certificate chain and private key on the client filesystem

replace-remote-listener-certificate Examples

Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate contained in the '/absolute/path/to/new-keystore-on-server.jks' key store file that already exists on the server filesystem:

replace-certificate replace-remote-listener-certificate \
     --hostname --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --server-side-source-key-store-file /absolute/path/to/new-keystore-on-server.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file \
     --source-certificate-alias new-listener-cert --key-manager-provider JKS \
     --trust-manager-provider JKS --target-certificate-alias server-cert

Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate contained in the 'new-keystore-on-client.jks' key store file that exists on the client filesystem:

replace-certificate replace-remote-listener-certificate \
     --hostname --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --client-side-source-key-store-file new-keystore-on-client.jks \
     --source-key-store-type JKS \
     --source-key-store-password-file \
     --source-certificate-alias new-listener-cert --key-manager-provider JKS \
     --trust-manager-provider JKS --target-certificate-alias server-cert

Update any connection handlers that use the 'JKS' key manager provider to use a new listener certificate whose certificate chain is read from files new-listener-cert.pem, intermediate-ca-cert.pem, and root-ca-cert.pem, and whose private key is read from file new-listener-key.pem (all of which are on the client filesystem):

replace-certificate replace-remote-listener-certificate \
     --hostname --port 636 --useSSL \
     --bindDN uid=admin,dc=example,dc=com --bindPasswordFile admin-password.txt \
     --client-side-source-certificate-file new-listener-cert.pem \
     --client-side-source-certificate-file intermediate-ca-cert.pem \
     --client-side-source-certificate-file root-ca-cert.pem \
     --client-side-source-private-key-file new-listener-key.pem \
     --key-manager-provider JKS --trust-manager-provider JKS \
     --target-certificate-alias server-cert

replace-remote-listener-certificate Arguments

--server-side-source-key-store-file {path}

Description The absolute path on the server filesystem to the key store file that holds the new listener certificate. It must exist, it must be specified as an absolute path, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. This argument cannot be used in conjunction with the client-side-source-key-store-file or client-side-source-certificate-file arguments
Required No
Multi-Valued No

--client-side-source-key-store-file {path}

Description The path on the client filesystem to the key store file that holds the new listener certificate. It must exist, and it must be a key store in JKS, PKCS #12, or BCFKS format that contains at least one private key entry with a complete certificate chain. This argument cannot be used in conjunction with the server-side-source-key-store-file or client-side-source-certificate-file arguments
Required No
Multi-Valued No

--client-side-source-certificate-file {path}

Description The path on the client filesystem to a file that holds one or more certificates (in PEM or DER format) for the new listener certificate chain. This argument may be provided multiple times if the source certificate chain is split into multiple files. The certificates must be ordered so that the new listener certificate is the first certificate in the chain and each subsequent certificate is the issuer for the previous certificate. This argument cannot be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments
Required No
Multi-Valued Yes

--client-side-source-private-key-file {path}

Description The path on the client filesystem to a file that holds the private key (in PEM or DER format) for the new listener certificate. This argument may only be provided if the client-side-source-certificate-file argument is also given, and if it is not provided, then it will be assumed that the new listener certificate will use the same private key as the current listener certificate
Required No
Multi-Valued No

--client-side-source-private-key-encryption-password-file {path}

Description The path on the client filesystem to a file that holds the password used to encrypt the private key for the new listener certificate. This argument may only be provided if the client-side-source-private-key-file argument is also given, and if it is not provided, then it will be assumed that the private key is not encrypted
Required No
Multi-Valued No

--source-key-store-type {JKS|PKCS12|BCFKS}

Description The key store type for the source key store. If specified, it must be one of JKS, PKCS12, or BCFKS. If it is not specified, the key store type will be automatically determined
Required No
Multi-Valued No

--source-key-store-password {password}

Description The password needed to interact with the source key store. This argument can only be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments, but if one of those arguments is provided, then exactly one of the source-key-store-password or source-key-store-password-file arguments must also be given
Required No
Multi-Valued No

--source-key-store-password-file {path}

Description The path to a file on the client filesystem that contains the password needed to interact with the source key store. If provided, this file must exist, and it must contain exactly one line with the password to use. This argument can only be used in conjunction with the server-side-source-key-store-file or client-side-source-key-store-file arguments, but if one of those arguments is provided, then exactly one of the source-key-store-password or source-key-store-password-file arguments must also be given
Required No
Multi-Valued No

--source-certificate-alias {alias}

Description The alias, or nickname, of the source key store entry that contains the complete certificate chain and private key for the new listener certificate. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it must be provided if the source key store contains more than one private key entry
Required No
Multi-Valued No

--source-private-key-password {password}

Description The password used to protect the source certificate's private key. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it may be omitted if the private key password matches the key store password (which is often the case). If the private key password differs from the key store password, then exactly one of the source-key-store-password and source-key-store-password-file arguments must be provided
Required No
Multi-Valued No

--source-private-key-password-file {path}

Description The path to a file on the client filesystem that contains the password used to protect the source certificate's private key. This argument can only be provided in conjunction with either the server-side-source-key-store-file or client-side-source-key-store-file argument, and it may be omitted if the private key password matches the key store password (which is often the case). If provided, this file must exist, and it must contain exactly one line with the password to use. If the private key password differs from the key store password, then exactly one of the source-key-store-password and source-key-store-password-file arguments must be provided
Required No
Multi-Valued No


Description Skip some of the validation that the tool normally performs for the new listener certificate chain, including verifying that the chain is complete and that all of the certificates are within their validity window

--key-manager-provider {name}

Description The name of the key manager provider that is defined in the server configuration and specifies the settings for the key store to update with the new listener certificate. It must be a file-based key manager provider, and it must be enabled. Any LDAP or JMX connection handlers configured to use this key manager provider will automatically start using the new certificate immediately. Any HTTP connection handlers configured to use this key manager provider will start using the new certificate after the server is restarted or the reload-http-connection-handler-certificates tool is invoked. If this argument is not provided, a default value of 'JKS' will be assumed
Default Value JKS
Required Yes
Multi-Valued No

--trust-manager-provider {name}

Description The name of the trust manager provider that is defined in the server configuration and specifies the settings for the trust store to be updated with information needed to trust the new source certificate. This argument must not be used in conjunction with the --use-jvm-default-trust-manager-provider argument. If this argument is provided, then the value must specify the name of an enabled file-based trust manager provider. Any connection handlers configured to use the specified key manager provider will also be updated if necessary to use this new trust manager provider. If neither the trust-manager-provider nor the use-jvm-default-trust-manager-provider argument is provided, the tool will assume that the trust manager provider uses the same name as the key manager provider
Required No
Multi-Valued No


Description Indicates that the connection handlers configured to use the target key manager provider should be updated with a trust manager provider that will automatically trust any certificate signed by any certificate in the JVM's default set of trusted issuers. This argument must not be used in conjunction with the --trust-manager-provider argument. It is only recommended for use if the new listener certificate, and any certificates that clients may present to the server, are signed with one of those trusted issuers

--target-certificate-alias {alias}

Description The alias, or nickname, that will be used to for the new listener certificate in the target key manager provider's key store. If the key store already contains an entry with this alias, the existing entry will be renamed before the new entry is written. If this argument is not provided, a default value of 'server-cert' will be assumed
Default Value server-cert
Required Yes
Multi-Valued No


Description Request that the server reload any certificates associated with HTTP connection handlers configured with support for HTTPS. Note that this may prevent clients from resuming TLS sessions created before the reload


Description Refresh any cached certificate monitor data immediately after updating the listener certificate



Description Display Directory Server version information


Description Display general usage information


Description Display help for using debug options
Advanced Yes

-h {host}
--hostname {host}

Description The IP address or resolvable name to use to connect to the directory server. If this is not provided, then a default value of 'localhost' will be used.
Default Value localhost
Required Yes
Multi-Valued No

-p {port}
--port {port}

Description The port to use to connect to the directory server. If this is not provided, then a default value of 389 will be used.
Default Value 389
Required Yes
Multi-Valued No

-D {dn}
--bindDN {dn}

Description The DN to use to bind to the directory server when performing simple authentication.
Required No
Multi-Valued No

-w {password}
--bindPassword {password}

Description The password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
Required No
Multi-Valued No

-j {path}
--bindPasswordFile {path}

Description The path to the file containing the password to use to bind to the directory server when performing simple authentication or a password-based SASL mechanism.
Required No
Multi-Valued No


Description Indicates that the tool should interactively prompt the user for the bind password.


Description Use SSL when communicating with the directory server.


Description Use StartTLS when communicating with the directory server.


Description Use the JVM's default trust store, the server's default trust store, the server's topology registry, and optionally an additional trust store specified using the --trustStorePath argument to non-interactively determine whether to trust any certificate chain presented during TLS negotiation. If the chain cannot be trusted based on any of those sources, then negotiation will fail without prompting about whether to trust it.


Description Trust any certificate presented by the directory server.

-K {path}
--keyStorePath {path}

Description The path to the file to use as the key store for obtaining client certificates when communicating securely with the directory server.
Required No
Multi-Valued No

-W {password}
--keyStorePassword {password}

Description The password to use to access the key store contents.
Required No
Multi-Valued No

-u {path}
--keyStorePasswordFile {path}

Description The path to the file containing the password to use to access the key store contents.
Required No
Multi-Valued No


Description Indicates that the tool should interactively prompt the user for the password to use to access the key store contents.

--keyStoreFormat {format}

Description The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the key store file.
Required No
Multi-Valued No

-P {path}
--trustStorePath {path}

Description The path to the file to use as trust store when determining whether to trust a certificate presented by the directory server.
Required No
Multi-Valued No

-T {password}
--trustStorePassword {password}

Description The password to use to access the trust store contents.
Required No
Multi-Valued No

-U {path}
--trustStorePasswordFile {path}

Description The path to the file containing the password to use to access the trust store contents.
Required No
Multi-Valued No


Description Indicates that the tool should interactively prompt the user for the password to use to access the trust store contents.

--trustStoreFormat {format}

Description The format (e.g., JKS, PKCS12, PKCS11, BCFKS, etc.) for the trust store file.
Required No
Multi-Valued No


Description Indicates that the tool should verify that the hostname or IP addressed used to establish connections ot the LDAP server matches an address for which the server's TLS certificate was issued.

-N {nickname}
--certNickname {nickname}

Description The nickname (alias) of the client certificate in the key store to present to the directory server for SSL client authentication.
Required No
Multi-Valued No


Description Enable Java's low-level support for debugging SSL/TLS communication. This is equivalent to setting the '' property to 'all'.

-o {name=value}
--saslOption {name=value}

Description A name-value pair providing information to use when performing SASL authentication.
Required No
Multi-Valued Yes


Description Use the SASL EXTERNAL mechanism to authenticate.


Description Provide information about the supported SASL mechanisms, including the properties available for use with each.


Description Launch the tool in interactive mode.


Description Display the names and descriptions of the supported subcommands.

--propertiesFilePath {path}

Description The path to a properties file used to specify default values for arguments not supplied on the command line.
Required No
Multi-Valued No

--generatePropertiesFile {path}

Description Write an empty properties file that may be used to specify default values for arguments.
Required No
Multi-Valued No


Description Do not obtain any argument values from a properties file.


Description Suppress output listing the arguments obtained from a properties file.