10.5. Updating the TLS Certificates Used for Attribute Encryption

Attribute encryption is based on the TLS certificate. To prevent that attribute encryption fails after renewing or replacing the TLS certificate:
  1. Export the database with decrypted attributes. See Section 10.4.1, “Exporting an Encrypted Database”.
  2. Create a new Certificate Signing Request (CSR). See Section 9.3.1, “Creating a Certificate Signing Request”.
  3. Install the new certificate. See Section 9.3.4, “Installing a Server Certificate”.
  4. Stop the Directory Server instance:
    # dsctl instance_name stop
  5. Edit the /etc/dirsrv/slapd-instance_name/dse.ldif file and remove the following entries including their attributes:
    • cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
    • cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config


    Remove the entries for all databases. If any entry that contains the nsSymmetricKey attribute is left in the /etc/dirsrv/slapd-instance_name/dse.ldif file, Directory Server will fail to start.
  6. Start the instance:
    # dsctl instance_name start