We have Root certificate added to the Certificate Store to support some of our client apps. But when the certificate is rotated, routing fails and below is the error we receive. Only the child certificate is working. Most of the child certs are set to expire in a span of 6 months to 1 yr which a maintenance overhead. Roots certs have longer expiry date and we can avoid these problems. 

Not sure why Layer7 is not working well with root certs. Is there something we can look into?

All supported versions of the CA API Gateway

Remove all (child/intermediate) certificates that share this certificate in the chain. The gateway will only pick 1 first applicable certificate for handshake if there are all certificates in the store (intermediate/root) only import the highest certificate you wish to trust and remove the lower ones.

Alternately you can go into the route assertion in the policy.

Go to the Connection TAB. 

And choose the specific certificate that you want to trust instead of allowing all.

"Trust only the specified Trusted Certificates"

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/policy-assertions/assertion-palette/message-routing-assertions/route-via-http-s-assertion.html#concept.dita_049ffc6cf73f4e1b368ebb8707b00fe50b5546cc_ConfiguringtheConnectionTab

Item 6 on this page.