We are working with Layer7 API Gateway 10.1 CR01 and I want to change our Default SSL Key because the assigned Certificate reached its valid-until date.
So I create a new Private Key, Generate a CSR for our CA, Get a new Certificate Chain from our CA and want to Replace the Certificate Chain for the Private Key,
that I could use this for the new Default SSL Key.
This fails complaining there is already a key with the same CN
Release : 10.1
Component :
The restriction to allow only one key/certificate for each cn/dn was implemented for security reason and to prevent certificate problems with duplicate certs with the same cn there is no option to bypass this.
If you need to create a new key the normal solution is to renew the chain with a new csr requests which will not work in your case as you need a new keypair too.
In that case you have to create the key/pair on another gateway or use keytool with the CN you need and sign it , After that export it .
To be able to do this on the gateway create a temp ssl key and make it the default ssl key .
reconnect the policy manager , and delete the expired key .
import the new key and make it the default ssl key again .
After this you need to restart the gateway service on all cluster nodes
In Gateway 10.1 CR3 and above the following CWP can be set .
Enable Multiple Private Key With Same SubjectDN:
With the help of cluster-wide property keystore.allowDuplicatesBySubjectDN, the Gateway intends to support private keys with same SubjectDN. This property provides an option for customers to enable or disable private keys with same SubjectDN. See Enable Multiple Private Keys with Same Subject DN for more information.
Note: To reach clusterwide properties to set the value.
1) Policy Manager top bar TASKS -> Global Settings -> Manage Cluster Wide Properties
2) In cluster wide properties dialog click "Add"
3) Enter In KEY: keystore.allowDuplicatesBySubjectDN
4) Push Tab button on keyboard, assuming this is cr03 the default value you can override will become exposed as well as description. You can then set the value: True
Engineering is aware the new limitations make it cumbersome to renew certificates and will investigate improvements for a future release