Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Need to remove expired certifiate from LTM

I need to delete expired default.crt and default.key from LTM box. But it seems that certificate is being referenced somewhere else.

I have removed the expired cert from below locations: -

  • /config/ssl/ssl.crt
  • /config/ssl/ssl.key
  • /config/filestore/files_d/Common_d/certificate_d
  • /config/filestore/files_d/Common_d/certificate_key_d
  • changed referenced default cert & key from profiles with the new one.

Below is the output I am getting while removing cert & key: -

admin@(seallb02)(cfg-sync In Sync)(Active)(/Common)(tmos)# delete sys crypto cert default.crt 01071349:3: File object by name (/Common/default.crt) is in use.

admin@(seallb02)(cfg-sync In Sync)(Active)(/Common)(tmos)# delete sys crypto key default.key 01071349:3: File object by name (/Common/default.key) is in use.

Any suggestions??

0
Rate this Question
Comments on this Question
Comment made 29-Jul-2015 by David Pasch 427
default.crt is a default object, because it is used in the templates, and therefore cannot be deleted. Your only option is to renew it. And based on your code you may also have to force an mcpd reload to get the device to recognize it correctly, after it is renewed. sol13030 Hope it helps!
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

What is the version?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

11.4.1 HF5

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Try this command from cli. It should be able to tell you where it is referenced.

tmsh show running-config recursive one-line | grep "default.crt"

If possible post the output here.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have checked this already, But its not referenced in any configuration: -

[admin@LB:Active:In Sync] ~ # tmsh show running-config recursive one-line | grep "default.crt"
[admin@LB:Active:In Sync] ~ #
[admin@LB:Active:In Sync] ~ # tmsh show running-config recursive one-line | grep "default.key"
[admin@LB:Active:In Sync] ~ #

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The problem here is, we have SSL certificate monitoring configured, and it is giving alerts as the certificate is expired. Is there any way I can stop monitoring of a specific certificate??

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

And the reason I cannot renew it because the certificate is using RSA-1024 key length. which is not a option for me to get it renewed with the same key length. the only key length option I have to use is RSA-2048

0
Comments on this Answer
Comment made 22-Aug-2016 by HP 79

Did this get resolved? I'm assuming you had difficulty removing/deleting the default.crt because it's being referenced in the config, did you find any mentioning of it in bigip.conf file?

0