The certificate rotation resulted in outage to the third party service provider 

The vendor updated/changed server certificate causing the gateway to fail SSL handshake validating the updated certificate.  This was resolved by updating the certificate but since the server certificate rotates out often what other options are there to handle this situation 

Gateway ALL versions

Working as designed.   The gateway default trust is 0 trust (NO TRUST).  In order to trust/establish SSL connection a valid certificate needs to be imported and trusted by the gateway

Options:

• Gateway can be modified to trust ALL certificates from well known CA’s cluster-wide property  pkix.useDefaultTrustAnchors to true All well known certs in the openJDK are trusted  KB 261895  - Changes gateway from  the NO Trust to Trust most.

OR

• Add one of the certificates in the chain as a Trusted Anchor to the gateway store; either the IntermediateCA (issuer) OR the RootCA

IntermediateCA or RootCA - these typically have a longer expiration and rotate out less often.  NOTE this trust between the intermediate OR RootCA when added changes gateway from ZERO Trust to trusting all certificates created by this chain:

Default SSL Certificate chain 

1. Server certificate:  CN=<service provider server host>, OU=<org unit>, O=<org>., L=<location>, ST=<state>, C=<country>
2. IntermedCA:  CN=<IntermediateCA>, OU=<org unit>, O=<org>., L=<location>, ST=<state>, C=<country>
3. RootCA:   CN=<RootCA>, OU=<org unit>, O=<org>., L=<location>, ST=<state>, C=<country>

ClusterWideProperty io.httpsHostVerify default set to true the are scenarios covered in KB  KB261134 article for different scenarios