We are working with Layer7 API Gateway 10.1 CR01 and I want to change our Default SSL Key because the assigned Certificate reached its valid-until date.
So I create a new Private Key, Generate a CSR for our CA, Get a new Certificate Chain from our CA and want to Replace the Certificate Chain for the Private Key,
that I could use this for the new Default SSL Key.
This fails complaining there is already a key with the same CN
Release : 10.1
The restriction to allow only one key/certificate for each cn/dn was implemented for security reason and to prevent certificate problems with duplicate certs with the same cn there is no option to bypass this.
If you need to create a new key the normal solution is to renew the chain with a new csr requests which will not work in your case as you need a new keypair too.
In that case you have to create the key/pair on another gateway or use keytool with the CN you need and sign it , After that export it .
To be able to do this on the gateway create a temp ssl key and make it the default ssl key .
reconnect the policy manager , and delete the expired key .
import the new key and make it the default ssl key again .
After this you need to restart the gateway service on all cluster nodes
Engineering is aware the new limitations make it cumbersome to renew certificates and will investigate improvements for a future release