ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Problem with Create a Private Key and Replace Certificate Chain

book

Article ID: 240171

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We are working with Layer7 API Gateway 10.1 CR01 and I want to change our Default SSL Key because the assigned Certificate reached its valid-until date.

So I create a new Private Key, Generate a CSR for our CA, Get a new Certificate Chain from our CA and want to Replace the Certificate Chain for the Private Key,

that I could use this for the new Default SSL Key.

This fails complaining there is already a key with the same CN 

Environment

Release : 10.1

Component :

Resolution

The restriction to allow only one key/certificate for each cn/dn was implemented for security reason and to prevent certificate problems with duplicate certs with the same cn there is no option to bypass this.

If you need to create a new key the normal solution is to renew the chain with a new csr requests  which will not work in your case as you need a new keypair too.

In that case you have to create the key/pair on another gateway or use  keytool  with the CN you need and sign it  , After that export it .

To be able to do this on the gateway create a temp ssl  key and make it the default ssl key .

reconnect the policy manager , and delete the expired key .

import the new key and make it the default ssl key again  .

After this you need to restart the gateway service on all cluster nodes

 

Additional Information

Engineering is aware the new limitations make it cumbersome to renew certificates and will investigate improvements for a future release