Problem with Create a Private Key and Replace Certificate Chain
search cancel

Problem with Create a Private Key and Replace Certificate Chain


Article ID: 240171


Updated On:


CA API Gateway


We are working with Layer7 API Gateway 10.1 CR01 and I want to change our Default SSL Key because the assigned Certificate reached its valid-until date.

So I create a new Private Key, Generate a CSR for our CA, Get a new Certificate Chain from our CA and want to Replace the Certificate Chain for the Private Key,

that I could use this for the new Default SSL Key.

This fails complaining there is already a key with the same CN 


Release : 10.1

Component :


The restriction to allow only one key/certificate for each cn/dn was implemented for security reason and to prevent certificate problems with duplicate certs with the same cn there is no option to bypass this.

If you need to create a new key the normal solution is to renew the chain with a new csr requests  which will not work in your case as you need a new keypair too.

In that case you have to create the key/pair on another gateway or use  keytool  with the CN you need and sign it  , After that export it .

To be able to do this on the gateway create a temp ssl  key and make it the default ssl key .

reconnect the policy manager , and delete the expired key .

import the new key and make it the default ssl key again  .

After this you need to restart the gateway service on all cluster nodes


Additional Information

Engineering is aware the new limitations make it cumbersome to renew certificates and will investigate improvements for a future release