search cancel

API Gateway: Import private certificate failing

book

Article ID: 230403

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

1. Failed to import the private key/cert, 

The same step can be done on our old API GW 9.4 without issue.

 

Environment

Release : 10.0

Component : API GATEWAY

Cause

 

Gateway 10 and above does not allow two identical certificate CN’s that are different certificates/attributes

 

For a gateway 10 not allowed to load two certificates with the same CN but different footprints/attributes.  This specific problem is the intermediate certificate with CN  “CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US”

Example:

Issue to:   “CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US”

Results SSG log when attempting to import 

 

2021-12-09T11:20:29.796-0500 WARNING 639 com.l7tech.server.security.keystore.JdkKeyStoreBackedSsgKeyStore: Unable to store private key entry, Failed to update certificate chains for the key(s)

com.l7tech.server.security.keystore.ReplaceCertificateChainManager$ReplaceCertificateChainException: Failed to update certificate chains for the key(s)

at com.l7tech.server.security.keystore.ReplaceCertificateChainManager.update(Unknown Source)

at com.l7tech.server.security.keystore.JdkKeyStoreBackedSsgKeyStore.a(Unknown Source)

Caused by: com.l7tech.server.security.keystore.ReplaceCertificateChainManager$ReplaceCertificateChainException: Found matching SubjectDN in other Private Keys' certificate chains and overwrite all cert chains is disabled.

 

Resolution

Review the certificates that also contain “CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US”  in certificate chain and reissue ALL so they are inline with the new certificate 

 

Attachments