In Gateway 10.0, we can upload/update the same key with a different name and expiration date. In Gateway 10.1, we are unable to perform the same procedure:

SSG error

2022-01-25T20:27:26.352-0800 WARNING 1714 com.l7tech.server.security.keystore.ReplaceCertificateChainManager: New certificate does not certify the public key for the private key CN=<certificate name>

2022-01-25T20:27:26.352-0800 WARNING 1714 com.l7tech.server.security.keystore.JdkKeyStoreBackedSsgKeyStore: Failed to get the impacted certificate chains: New certificate does not certify the public key for the private key CN=<certificate name>

com.l7tech.server.security.keystore.ReplaceCertificateChainManager$ReplaceCertificateChainException: New certificate does not certify the public key for the private key CN=<certificate name>

API Gateway 10.1

The JDK implementation "PKCS12KeyStore" in Gateway.

During the KeyStore.store() call, it writes the Private Key bytes first and then the Certificate Chain associated with these Private Key. During the KeyStore.load() call, it recreates the certificate chain based on the SubjectDN and IssuerDN values. Since the Intermediate 2 Subject DN value is the same, both private keys show the same chain for the keys even though they are actually different.

This is a known issue [Defects DE464166/DE337781]

Issue: Replacing certificate chain functionality is not working. If the root or intermediate root certs are matched with the existing certs then the new chain is not imported.

Workaround provided:

Recommend taking snapshot of the gateway 

When a certificate is deleted , then all the keys which have that certificate in their certificate chain should also be deleted otherwise the certificate will still exist in the database.

So as of now , the workaround is to delete all the private keys which are using the deleted certificate in their certificate chain and then create the new certificate with the same name.

A new feature is introduced to address this issue in the 10.1 CR03 Gateway. As noted in the document:

Enable Multiple Private Key With Same SubjectDN:    With the help of cluster-wide property keystore.allowDuplicatesBySubjectDN, the Gateway intends to support private keys with same SubjectDN. This property provides an option for customers to enable or disable private keys with same SubjectDN. See Enable Multiple Private Keys with Same Subject DN for more information.

Note: To reach clusterwide properties to set the value.

1) Policy Manager top bar TASKS -> Global Settings -> Manage Cluster Wide Properties

2) In cluster wide properties dialog click "Add"

3) Enter In KEY:    keystore.allowDuplicatesBySubjectDN

4) Push Tab button on keyboard, assuming this is cr03 the default value you can override will become exposed as well as description. You can then set the value: True