Do we need to restart api gateway after a change in private key? Earlier we used to restart gateway, when there is a change in default SSL key. I looked at the new documentation and I don't see anything mentioned about gateway restart.
Reference: Private Key Properties - CA API Gateway - 9.2 - CA Technologies Documentation
There are multiple scenarios, below are some i could think of.
1. Adding a new private key on routing assertion.
2. Replacing an existing key.
3. Replace Certificate Chain in Manage Private Keys properties.
4. Mark as special purpose
Thanks & regards,
The short answer to your specific question in regards to changing a key is yes you need a restart the gateway for 2 reasons.
1. If you are changing a key that means you are deleting the old key and for the deletion to be recognized a restart is required
2.When creating the new key, if you configure the "Mark as special purpose" options on a new key that also requires the nodes to be restarted
For scenario #1, adding a new private key to the route assertion does not require a restart if you are using a key that already exists, but if you are replacing a key during the process then it takes you back to scenario #2 replacing a key which requires a restart.
Is it really required to have a restart of the gateway especially for scenario #3? Here we are using:
- the existing private key, means no deletion and re-creation is required
- the same link and alias in the Routing Assertion, which will not be broken due to deletion of the key
Yes, I can confirm that deleting a private key will brake the link in the Routing Assertion ("Unrecognized") and re-creating it with the same alias will NOT automatically restore it.
But if the renewal will be done based on the existing key and just a "Replace Certificate Chain" is required, I would expect that here no restart is required and that the new certificate will be used automatically for any new Connection.
Can someone confirm this?
And as Anand already asked, isn't there any official documentation and best practices available how to handle such private key renewals?
I tested scenario 3, and we had to perform a gateway restart after replace certificate chain.