Portal updates to the certificates require import of new certificates can lead to the following failure which can cause confusion due to the documented processes. 

<l7:Mapping action="NewOrUpdate" actionTaken="UpdatedExisting" srcId="68f4f7b3162210e735f460b4daba442d" targetId="746fffffc2a328f66d8f09ece547a8ad" targetUri="/1.0/trustedCertificates/746fffffc2a328f66d8f09ece547a8ad" type="TRUSTED_CERT">
                <l7:Properties>
                    <l7:Property key="MapBy">
                        <l7:StringValue>name</l7:StringValue>
                    </l7:Property>
                </l7:Properties>
            </l7:Mapping>
            <l7:Mapping action="NewOrUpdate" errorType="UniqueKeyConflict" srcId="64a93bdd8aeb093dd43fcc616d4ae2c9" type="TRUSTED_CERT">
                <l7:Properties>
                    <l7:Property key="ErrorMessage">
                        <l7:StringValue>(thumbprintSha1)  must be unique</l7:StringValue>
                    </l7:Property>
                    <l7:Property key="MapBy">
                        <l7:StringValue>name</l7:StringValue>
                    </l7:Property>
                </l7:Properties>
            </l7:Mapping>
            <l7:Mapping action="NewOrUpdate" errorType="UniqueKeyConflict" srcId="68f4f7b3162210e735f460b5daba442d" type="TRUSTED_CERT">
                <l7:Properties>
                    <l7:Property key="ErrorMessage">
                        <l7:StringValue>(thumbprintSha1)  must be unique</l7:StringValue>
                    </l7:Property>
                    <l7:Property key="MapBy">
                        <l7:StringValue>name</l7:StringValue>
                    </l7:Property>
                </l7:Properties>
            </l7:Mapping>

CA API Portal: 5.x

CA API Gateway: Any

The current portal Version has 3 certificates that a gateway requires by default.

pssg (which should always be named pssg) which is by default an ID of 68f4f7b3162210e735f460b4daba442d 

*** Note the b4 in bold in the string 

apim-ssg<insertvaluehere> which by default has an ID of 68f4f7b3162210e735f460b5daba442d

*** Note the b5 in bold in the string 

And datalake<insertvaluehere> which by default has 64a93bdd8aeb093dd43fcc616d4ae2c9

A fresh install with the restman API on a gateway will insert these items with the ID as noted above from the bundle endpoint. 

Many KBs (and documentation) tell you to remove these certificates AND re-add them using the gateway certificate dialog which will do 2 things 

a) Allow you to specify the NAME. It is important that you use the same name that you removed which many of the documentation may not thoroughly cover.

b) changes the default ID in restman of this object. 

The ID can become un-important IF the name is an identical match to the bundle as from the above error you can see the 

                    <l7:Property key="MapBy">
                        <l7:StringValue>name</l7:StringValue>
                    </l7:Property>

With a mapby name IF the name is identical to the bundle it will find the SHA-1 thumbprint associated with the same name and update this object. If the name varies even a little 1 character. Then the mapby Name will fail. But when it tries to create the object it will also fail BECAUSE (thumbprintSha1)  must be unique which means its finding an object (certificate data) BUT the IDs dont match AND the NAMES dont match. 

The safest way to ensure this will be a match is 

1) Export Each certificate apim/pssg/datalake when Exporting each one ENSURE the export name is an IDENTICAL match to the existing NAME in the gateway manage certificate dialog. 

2) At Import of the certificate ensure the Optional Name you specify IS the exact name of the exported certificate that you used in step1. 

The Re-import can vary slightly and some documentation may reflect this. 

IN all cases the pssg MUST EXIST.  

IN most cases the certificates will be included in the bundle. BUT NOT ALL so where it may contain the certificate data in the case of Upgrades or new installs you can have only the PSSG certificate and may see the others can be removed and updated by the Portal Upgrade Bundle but this is not always a 1 size fits all so if you removed ALL EXCEPT THE PSSG you can check if the other 2 were imported by the Portal Update action and if not then you can re-import them but again the NAME is very important and should match what originally existed for apim-ssg (i.e. TSSG) and datalake (i.e. DSSG) 

IN cases where you choose to IMPORT all 3 new certificates.
Note the ORIGINAL (Editable) NAME or export them in a file where the NAME (NOT CN) is the filename. Then when following instructions to re-import them ensure the NAME of it is the same as the exported file NAME.

i.e.

1. Select "Retrieve via SSL Connection (HTTPS or LDAPS Url)" and in the URL field.

2. Ensure NAME is not the CN but the NAME from the certificate exported/deleted

3. If a hostname mismatch warning appears, click Accept.

4. Click NEXT and in the "Select one or more certificate usage options", check Outbound SSL Connections then click NEXT

5. Check "Certificate is a Trust Anchor" 

6. FINISH