Unable to replace certificate chain: Error Assigning New Cert
search cancel

Unable to replace certificate chain: Error Assigning New Cert


Article ID: 42979


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


A private key and certificate both contain a modulus and exponent value that are used to associate a certificate with a private key and vice versa. If the modulus of a signed certificate does not match the modulus of a private key then that signed certificate cannot be packaged with the private key. This is enforced in most client applications that build PKCS#12 key store (including the Gateway). In some circumstances, a customer may attempt to replace the certificate chain of an existing private key with a new chain. If that key does not match then the Gateway will not allow the replacement to occur.

The following error messages or warning dialog may be presented to the operator or administrator when a certificate cannot be assigned to a private key stored on the Gateway:

  • Gateway log file:com.l7tech.server.admin.TrustedCertAdminImpl: Error setting new cert: java.security.KeyStoreException: New certificate does not certify the public key for this private key.
  • Policy Manager warning dialog: Error Assigning new Cert. Make sure the cert you choose is related to the public key it is being assigned for.
  • Policy Manager console: WARNING: Error Assigning new Cert. Make sure the cert you choose is related to the public key it is being assigned for.

Additionally, the private key having its certificate replaced will not reflect a new certificate. The old thumbprint and serial number will still be visible in the Manage Private Keys dialog.



Component: APIGTW


This issue is typically caused through an administrative error. Most implementations of PKI management involve delivery of a Certificate Signing Request to a trusted Certificate Authority. Under normal operation conditions, a CSR is generated against an existing private key and that CSR is delivered to the CA. The CA will then provide a signed certificate that can co-exist with the existing key. In some PKI management implementations, a new certificate is not provided as a result of a new CSR. The CA will provide a full PKCS#12 key store (and the accompanying private key and certificate that comprises it). The error documented in this issue occurs most commonly when a PKI management implementation delivers a new key and accompanying certificate instead of issuing a new certificate for an existing key. An operator or administrator will need to ensure that the PKI management implementation delivers a certificate signed by a CSR for a key stored on the Gateway or that the new key store provided by the PKI management implementation replaces the existing key on the Gateway.


It will be necessary to manually verify that the new certificate intended to replace the existing certificate is assigned to the correct private key. As specified previously, a certificate and key must share a modulus and exponent value in order to ensure they are associated with one another. In order to verify these items, they must be inspected manually via the OpenSSL suite. This application is available for both Windows and Linux environments. Additionally, the suite is available on the Gateway appliance. Place the existing key and new certificate on the same system containing the OpenSSL suite. Run the following two commands:

  1. openssl x509 -noout -modulus -in [file name] | openssl md5
  2. openssl rsa -noout -modulus -in [file name] | openssl md5

The first command will create an MD5 hash of the modulus value of the provided X.509 certificate. The second command will perform the same operation against the provided RSA key file. If these values do not match then the moduli do not match. This mismatch means that the private key and certificate are not assigned to one another.