Solution

Background

New certificates were issued to CA Technologies for?signing Platform?Updates for the purposes of ?ensuring the integrity for the update files. The Gateway verifies the contents of the patches against a signature to ensure that no data has been modified--either incidentally or intentionally--before a patch is applied. These certificates periodically expire and must be replaced. The certificate?is updated in the next minor Gateway Application Update when it expires or may imminently expire. This may result in a circumstance where a legitimate Gateway patch will not be applied because the patch certificate used to sign one patch is different from the currently installed patch signing certificate.

Presentation

The following error may be visible in the Gateway, Process Controller, or Patch logs when attempting to upload a patch. During the "upload" operation, the Gateway decompresses a patch file and verifies the signature contained within against files stored within the patch. If the certificate used to sign this patch file does not match that which is currently installed then the upload operation will fail:

com.l7tech.server.processcontroller.patching.client.PatchCli: Patch API Error: Certificate is not trusted for signing patches

Resolution

This typically occurs when an administrator is applying patches out of order. As indicated--the patch signing certificates were most recently changed in version 8.1.0 of the API Gateway and the new certificates are included in the 8.1.0 Platform Update. The following article should be used to apply Gateway patches in the appropriate order:?Installing Platform Updates for the CA API Security and Management Product Suite