Standard steps to renew the certificate and key of the Access Gateway

Renewal is required before the cert/key is expired.

1. Prepare the new key(pkcs12 file) and the CA root certificate
2. Backup Access Gateway 
3. Login proxyui of Access Gateway
4. Navigate to "Proxy Configuration" tab
5. Click the "Reset" button of "Embedded web server SSL configuration" to remove the old key/cert
6. Click "Import CA" button of "Embedded web server SSL configuration" to import the CA root certificate
7. Click "Import Cert" button of "Embedded web server SSL configuration" to import the pkcs12 file of the new key and certificate
(if the pkcs12 contains the original self-signed certificate, then need to manually replace it with the CA signed certiifcate, the location can be found from "SSL Certificate File Path" on the proxyui GUI)
8. Click "Activate" button
9. Restart  the Access Gateway to apply the changes.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/access-gateway-configuration/configuring-ssl-for-access-gateway/configuring-ssl-on-apache-web-server-manually.html