Symptoms
Uploading a signed certificate to the Access Gateway results in a “Certificate Upgrade Failed” error message and/or one of the following errors in the Access Gateway log or on-screen:
Cause
The signed certificate is in the wrong format.
-Or-
The private key on the Access Gateway does not match the private key expected by the certificate.
The built-in Generate Certificate Signing Request (CSR) wizard in the Access Gateway Administration Tool creates a public/private key pair. The public key goes into the CSR file and the private key remains on the gateway. Access Gateway only holds one private key at a time so it is important not to run the Generate CSR wizard again until the Certificate Authority (CA) response certificate is installed.
The private key is included with the server configuration. In a scenario with multiple gateways and a different certificate required on each gateway, the configuration from one gateway cannot be published to another.
For example:
Two gateways are used in a cluster. Gateway 1 has a certificate installed and a CSR file is prepared on Gateway 2. If the configuration from Gateway 1 is published to Gateway 2, the CSR you generated on Gateway 2 can no longer be used because the private key from Gateway 1 is now on Gateway 2.
Resolution
Certificates for the Access Gateway should be Base64 encoded, Web server, Apache certificates.
-Or-
If a new CSR is created using the built-in Generate CSR tool in the Access Gateway Administration Tool, the following actions should not be performed until after the certificate is received and uploaded to the Access Gateway. The following actions overwrite the private key stored on the Access Gateway:
If one of these actions has been performed, the certificate received does not match the private key on the Access Gateway and a new CSR and certificate must be generated again to have a valid public/private key pair.
