Menu Close
Settings Close

Language and Page Formatting Options

Chapter 6. Renewing a TLS certificate

TLS certificates have an expiration date and time. To continuously provide secure connections, renew the server certificate in Directory Server before it expires.

6.1. Renewing a TLS certificate using the command line

Follow this procedure before the TLS server certificate expires to renew it.


  • Attribute encryption is not configured.
  • The TLS certificate will expire in the near future.


  1. Create a private key and a certificate signing request (CSR). Skip this step if you want to create them using an external utility.

    • If your host is reachable only by one name, enter:

      # dsctl instance_name tls generate-server-cert-csr -s ",O=example_organization"
    • If your host is reachable by multiple names:

      # dsctl instance_name tls generate-server-cert-csr -s ",O=example_organization"

      If you specify the host names as the last parameter, the command adds the Subject Alternative Name (SAN) extension with the, entries to the CSR.

    The string specified in the -s subject parameter must be a valid subject name according to RFC 1485. The CN field in the subject is required, and you must set it to one of the fully-qualified domain names (FQDN) of the server. The command stores the CSR in the /etc/dirsrv/slapd-instance_name/Server-Cert.csr file.

  2. Submit the CSR to the certificate authority (CA) to get a certificate issued. For further details, see your CA’s documentation.
  3. Store both the CA certificate and the server certificate in the /root/ directory.
  4. Import the server certificate issued by the CA to the NSS database, using one of the following options:

    • If you created the private key using the dsctl tls generate-server-cert-csr command, enter:

      # dsconf -D "cn=Directory Manager" ldap:// security certificate add --file /root/instance_name.crt --name "server-cert" --primary-cert

      Remember the name of the certificate you set in the --name _certificate_nickname parameter. You require it in a later step.

    • If you created the private key using an external utility, import the server certificate and the private key:

      # dsctl instance_name tls import-server-key-cert /root/server.crt /root/server.key

      Note that the command requires you to specify the path to the server certificate first and then the path to the private key. This method always sets the nickname of the certificate to Server-Cert.

  5. Import the CA certificate to the NSS database:

    # dsconf -D "cn=Directory Manager" ldap:// security ca-certificate add --file /root/ca.crt --name "Example CA"
  6. Set the trust flags of the CA certificate:

    # dsconf -D "cn=Directory Manager" ldap:// security ca-certificate set-trust-flags "Example CA" --flags "CT,,"

    This configures Directory Server to trust the CA for TLS encryption and certificate-based authentication.

  7. Stop the instance:

    # dsctl instance_name stop
  8. Edit the /etc/dirsrv/slapd-instance_name/dse.ldif file, and remove the following entries including their attributes:

    • cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
    • cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config

    Remove the entries for all databases. If any entry that contains the nsSymmetricKey attribute is left in the /etc/dirsrv/slapd-instance_name/dse.ldif file, Directory Server will fail to start.

  9. Start the instance:

    # dsctl instance_name start