Problem with Create a Private Key and Replace Certificate Chain
search cancel

Problem with Create a Private Key and Replace Certificate Chain

book

Article ID: 240171

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We are working with Layer7 API Gateway 10.1 CR01 and I want to change our Default SSL Key because the assigned Certificate reached its valid-until date.

So I create a new Private Key, Generate a CSR for our CA, Get a new Certificate Chain from our CA and want to Replace the Certificate Chain for the Private Key,

that I could use this for the new Default SSL Key.

This fails complaining there is already a key with the same CN 

Environment

Release : 10.1

Component :

Resolution

The restriction to allow only one key/certificate for each cn/dn was implemented for security reason and to prevent certificate problems with duplicate certs with the same cn there is no option to bypass this.

If you need to create a new key the normal solution is to renew the chain with a new csr requests  which will not work in your case as you need a new keypair too.

In that case you have to create the key/pair on another gateway or use  keytool  with the CN you need and sign it  , After that export it .

To be able to do this on the gateway create a temp ssl  key and make it the default ssl key .

reconnect the policy manager , and delete the expired key .

import the new key and make it the default ssl key again  .

After this you need to restart the gateway service on all cluster nodes

In Gateway 10.1 CR3 and above the following CWP can be set .

Enable Multiple Private Key With Same SubjectDN:   

With the help of cluster-wide property keystore.allowDuplicatesBySubjectDN, the Gateway intends to support private keys with same SubjectDN. This property provides an option for customers to enable or disable private keys with same SubjectDN. See Enable Multiple Private Keys with Same Subject DN for more information.

Note: To reach clusterwide properties to set the value.

1) Policy Manager top bar TASKS -> Global Settings -> Manage Cluster Wide Properties

2) In cluster wide properties dialog click "Add"

3) Enter In KEY:    keystore.allowDuplicatesBySubjectDN

4) Push Tab button on keyboard, assuming this is cr03 the default value you can override will become exposed as well as description. You can then set the value: True

 

Additional Information

Engineering is aware the new limitations make it cumbersome to renew certificates and will investigate improvements for a future release