Set a Default SSL or CA Private Key

You can designate a private key to be the default SSL or CA private key for the cluster. 
You can designate a private key to be the default SSL or CA private key for the cluster. 
Do not use the default CA key to also be the default SSL key. Doing so causes the Policy Manager to fail to connect to the
Layer7 API Gateway
Set a Key as a Default Key
The following instructions recommend connecting to the Gateway on port 9443 to change the default connection port 8443. 
Port 8443 is the default connection port for the Policy Manager. If the private key is on the same port used by the Policy Manager to connect to the Gateway, a restart of all cluster nodes is required for the change to take effect.
To set a key as a default SSL or CA private key:
  1. Using Policy Manager, connect to the Gateway on port 9443. For example:
    Connecting on port 9443 allows you to configure the default connection port 8443 without restarting the Gateway. 
  2. Select
     Tasks > Certificates, Keys, and Secrets > Manage Private Keys
     from the Main Menu.
    The Manage Private Keys dialog appears.
  3. Are you setting an existing private key as a default key? If so, skip to the next step.
    Otherwise, click
    to load a new key.
    Type a key alias to identify the key. Do not use 'SSL' as the alias.
    Select your key file and click 
    After successful validation of the key file format, the key appears in the list under the new alias.
  4. Select the private key in the list and then click 
    The Private Keys Properties dialog appears.
  5. Click 
    Mark as Special Purpose
  6. Select one of the following options: 
    • Select 
      Make Default SSL Key
       to make this key the default SSL private key (indicated by Default_SSL_cert_icon.gif on the interface).
    • Select 
      Make Default CA Key
       to make this key the default CA private key (indicated by Default_CA_cert_icon.gifon the interface).
  7. Click 
     to confirm.
  8. Click
  9. Go to 
    Manage Listen Ports
  10. Select port 8443 and click 
    The Listen Port Properties dialog appears.
  11. Click the 
    SSL/TLS Settings
  12. For 
    Server Private Key
    , select the key alias of the private key you just imported.
  13. Click 
Limitation for ECC Keys
When an elliptic curve certificate (ECC) is designated as the default SSL key, the Require Encrypted Element Assertion does not function when using the Gateway with the default WSS recipient.
  • The Gateway does not currently support encrypting XML for a recipient using an ECC key.
  • The Gateway does not currently support decrypting XML encrypted for an ECC key