I found many users have the issue with the restart of routers while adding new certificate to apigee truststore during MTLS in northbound api call. This is specific to Onprem.
When you are adding certificates to apigee truststore, it doesn't work until you restart the router. Even you use reference also the same is the situation. A restart of Routers frequently in production is not possible in practice.
We found after adding a certificate to truststore, if the reference is refreshed using a PUT call then it will start working without router restart.
Note: In case of delete this doesn't work. You need to restart in case of delete.
Below are commands for reference.
make a request with mtls
curl -k -G -v --key test1.key --cert ClientCertificate.crt:pass https://apigee-test.com/test
upload certificate to truststore
curl -X POST -F "file=@interserv.pem" 'http://MP:8080/v1/o/operations/e/operations/keystores/truststoreops/certs?alias=test1.com&ignoreExpi...' -H 'Authorization: Basic XXXXXXXX'
then put the reference of truststore to refresh
curl -L -X PUT 'http://mp:8080/v1/o/operations/e/operations/references/truststoreopsref' \
-H 'Authorization: Basic XXXXXXXXXXXXXXXXX' \
-H 'Content-Type: application/xml' \
--data-raw '<ResourceReference name="truststoreopsref">
<Refers>truststoreops</Refers>
<ResourceType>KeyStore</ResourceType>
</ResourceReference>'
In case of delete
curl -X DELETE 'http://mp:8080/v1/o/operations/e/operations/keystores/truststoreops/certs/test1.com' -H 'Authorization: Basic *********************'
Restart is required.