There are a few different approaches to updating/replacing a private key in the API Gateway.

API Gateway 10.1, 11.0

You cannot have two private keys with the same CN (even though the fingerprint is different).

SCENARIO 1: Import an Updated Private Key (issued by CA)
A. Take a VM snapshot and/or take a backup of the current private key
B. Delete the current key
C. Click [Import] and select the new key

SCENARIO 2: Replace Existing Private Key (self-signed, no CSR, mark as SSL)
A. Take a VM snapshot and/or take a backup of the current private key
B. Create a new "placeholder" private key called 'holder'
   Note: DO NOT check off the "Certificate will be used to sign other certificates" check box
C. Double-click on the 'holder' key and click [Mark as Special Pupose]
D. Select 'Make Default SSL Key' - then click OK
E. Delete the expiring key
F. Create a new private key with the same alias/CN
   Note: DO NOT check off the "Certificate will be used to sign other certificates" check box
G. Double-click on the newly created key and click [Mark as Special Pupose]
H. Select 'Make Default SSL Key' - then click OK
I. Restart the Gateway service

SCENARIO 3: Create a New Private Key (self-signed with CSR, mark as SSL)
A. Take a VM snapshot and/or take a backup of the current private key
B. Create a new private key with desired name/CN
   Note: DO NOT check off the "Certificate will be used to sign other certificates" check box
C. Double-click on the newly created key and click [Generate CSR] - provide the .PEM file to your CA
D. If you need to mark the new private key as the default SSL, follow the steps here

Once you get the certificate from your CA:
E. Double-click on the newly created key and click [Replace Certificate Chain]
F. Using the 'Import from a File' option, import the CA certificate (full chain)
G. Go to Tasks > Certificates, Keys and Secrets
H. Click on [Import] and using the 'Import from a File' option, import the CA certificate (full chain)
I. Restart the Gateway service