Renewing replication certificate generates a new entry that isn't replicated upon restart

[Ykrad]

Hi,

So we are still on 4.2.5 which does not have "Backport of OPENDJ-2366 to avoid errors from testssl". We apply the patch ourselves and then regenerate the certificate used for replication (to get SHA256 encryption) following this flow per server:

• Remove the old and generate a new ads-certificate private key
• Add the certificate (public part) to cn=instance keys,cn=admin data
  So that it is replicated to other members
• Set ds-cfg-key-id for this instance to point at the new certificate
• Restart replication provider to make it use the new certificate

As an exampel we then end up with an entry like this:
ds-cfg-key-id=7D:0A:F4:DC:41:6F:9B:F1:95:E2:AE:2B:6B:2A:DE:A5,cn=instance keys,cn=admin data

But after a restart (we need this restart for other reasons) of the server we get another entry like this:
dn: ds-cfg-key-id=7D0AF4DC416F9BF195E2AE2B6B2ADEA5,cn=instance keys,cn=admin data

And this second entry is not replicated. So my questions are as follows:

• Why is this entry generated?
• Any way we can make this entry replicate automatically (if it should be generated in the first place)?
• Anything else we are missing or misusing?

Br

[Ykrad]

It looks like it is CryptoManagerImpl.publishInstanceKeyEntryInADS() that is creating the entry if it does not exist: https://github.com/OpenIdentityPlatform/OpenDJ/blob/master/opendj-server-legacy/src/main/java/org/opends/server/crypto/CryptoManagerImpl.java#L577

I also don't see any entries with ":" in freshly installed systems to I think this is a problem we've introduced ourselves. So we will stop adding such entries and hopefully that will work fine.