There are a few different approaches to updating/replacing a private key in the API Gateway.

API Gateway 10.1, 11.0

It's not possible to have two private keys with the same CN (even though the fingerprint is different).

SCENARIO 1: Import an Updated Private Key (issued by CA)
A. Take a VM snapshot and/or take a backup of the current private key
B. Delete the current key
C. Click [Import] and select the new key

SCENARIO 2: Replace Existing Private Key (self-signed, no CSR, mark as SSL)
A. Take a VM snapshot and/or take a backup of the current private key
B. Create a new "placeholder" private key called 'holder'
   Note: DO NOT check off the "Certificate will be used to sign other certificates" check box
C. Double-click on the 'holder' key and click [Mark as Special Pupose]
D. Select 'Make Default SSL Key' - then click OK
E. Delete the expiring key
F. Create a new private key with the same alias/CN
   Note: DO NOT check off the "Certificate will be used to sign other certificates" check box
G. Double-click on the newly created key and click [Mark as Special Pupose]
H. Select 'Make Default SSL Key' - then click OK
I. Restart the Gateway service

SCENARIO 3: Create a New Private Key (self-signed with CSR, mark as SSL)
A. Take a VM snapshot and/or take a backup of the current private key
B. Create a new private key with desired name/CN
   Note: DO NOT check off the "Certificate will be used to sign other certificates" check box
C. Double-click on the newly created key and click [Generate CSR] - provide the .PEM file to the CA
D. If it's required to mark the new private key as the default SSL, follow the steps here

Once a certificate from the CA:
E. Double-click on the newly created key and click [Replace Certificate Chain]
F. Using the 'Import from a File' option, import the CA certificate (full chain)
G. Go to Tasks > Certificates, Keys and Secrets
H. Click on [Import] and using the 'Import from a File' option, import the CA certificate (full chain)
I. Restart the Gateway service