Hi Dan, >> Using the command to determine name of the current certificate (step 2 under Apache), the alias names are the same between two servers. Check! Good. >> Under the Shibb section of the update certificate section, I see the shibboleth keystore password is the same between the two servers. I also compared the idp metadata between the two servers and they are identical. Perfect. >> Under the Asimba section, the asimba passwords and the alias names are the same between the two servers. Perfect. >> The only difference I have between the two servers is found under opendj section. My keystore.pins are different and the alias names are the same, but the certificate fingerprints are different. They should be same. The purpose of cluster to put exactly identical two servers. >> My question is should I only follow steps for opendj? You shouldn't touch openDJ certificate. It's by default around 20-30 years valid. You should only check the apache2 section if you want to update your https ssl cert. Updating shib cert and asimba cert should once in a while. >> I don't see instructions for changing scim configs nor for oxauth-keys. Are they just copied over? Yes, they are inside LDAP and LDAP are replicated.

Thanks Mohib! But I'm confused. The Cluster setup instructions at https://gluu.org/docs/cluster/#certificate-management mention "Copy all keys, certs and key storages conforming to these masks: httpd.*, asimba.*, asimbaIDP.*, idp-encryption.*, idp-signing.*, shibIDP.*, oxauth-keys.* and scim-rs.* - to the same directory on the 2nd node (overwriting files that exist there; you may opt to backup them first, just in case)." and then it provides the following link to update the cacerts on the second node: https://gluu.org/docs/how-to/update-certificate/ Are you saying I don't need to copy the keys over from node1 to node2?

>> The Cluster setup instructions at https://gluu.org/docs/cluster/#certificate-management mention "Copy all keys, certs... This is for the sake of simplicity. As cluster configuration is complex; so at the beginning of cluster configuration we suggest deployers to copy over all keys and certs. For production work; we need to know exactly what,which and where to save time. >> and then it provides the following link to update the cacerts on the second node: https://gluu.org/docs/how-to/update-certificate/ Yes, you need to follow this doc when you just need to update apache/httpd ssl cert. >> Are you saying I don't need to copy the keys over from node1 to node2? You do but not all of them. Say.. if you are going to update apache cert for your cluster; what you need to do: - Configure apache cert in node1 by using 'apache cert update' doc - Copy apache cert, key and java keystore to node2 - Done

I'm sorry, but I'm trying to get this down. Since my apache certificates, shibb keystore info, and Asimba info are the same between the servers: 1) do I need make opendj info the same between both servers? If I do, how? 2) do I need to make the scim and oxauth files the same between both servers? If so, how do I do this?

>> 1) do I need make opendj info the same between both servers? If I do, how? >> 2) do I need to make the scim and oxauth files the same between both servers? If so, how do I do this? No, if you followed the CE clustering doc; you are good to go. ldap configs are migrated and shared between two nodes with ldap replication.