The private key is assigned to listen ports.
1. Create a new private key, for example: ssl9443
2. Go to Tasks -> Manage Listen Ports -> open properties of port 9443 and make following changes:
a) on the Basic Settings tab, ensure "Policy Manager Access" is checked
b) on the SSL/TLS Settings tab, change the "Server Private Key" to 'ssl9443' in Software DB"
c) click 'OK' to save changes.
3. Log in to the Policy Manager using port 9443 --> on login window, in "Gateway:" field, input: <gatewayhostname>:9443
4. Navigate to Manage Private Keys task - now you can delete keys.
NOTE: You can delete the "ssl" key even if it's marked as the default SSL key, as your current Policy Manager connection is using key 'ssl9443'. Be careful that you don't delete the key you want to keep.
As a safety measure, have DB backup and VM snapshot in place. You can also take a back of the current key marked as the default SSL.