Forum Discussion

wgranada's avatar
wgranada
Icon for Nimbostratus rankNimbostratus
May 20, 2024

Deleting Old Certs

Good day,

I know there has been threads on this but none of them have what I am looking for,  here is some background on what is going on. We had to upgrade our F5 to 15.1.8, now prior to upgrading we had a few certs that expired, so the thought was lets do the upgrade first then we can remove the expired ccerts.  But after the upgrade we attempted to remove the certs first via the GUI

System => Certificate Management  => searched for expired Cert and checked the box => and clicked on delete

but that didn't do anything still there

So I tried the command line

delete sys file ssl-cert <Cert name>

but same results.  How do I remove these old certs?  Where besides /Common are these files stored?

 

Thank you in advance!

Warren

certficate
  • amine-elhijazi's avatar
    amine-elhijazi
    Icon for Altocumulus rankAltocumulus
    May 20, 2024

    Hello, 

    I believe deleting the certs from bigip.conf is not a good idea . know also that the certs  with the keys are stored in the /config/filestore/files_d/*_d/certificate_d 

    you don't have any error after hitting the delete button  ? not event in ltm logs ? 

    • wgranada's avatar
      wgranada
      Icon for Nimbostratus rankNimbostratus
      May 21, 2024

      I'll have to attempt to delete it again from the Certification Manager but currently this is how it looks like

      I have a question if I attempt to delete it from /config/filestore/files_d/*_d/certificate_d will that remove it from the above?  I will attempt remove it again via the GUI and see what throws back to me.

       

      Thank you!!

  • wgranada's avatar
    wgranada
    Icon for Nimbostratus rankNimbostratus
    May 20, 2024

    Apologies I left out that, yes I have confirmed that they are no longer in use, these are old certs dating back to 2020 and these clients are no longer with us.  I have been snooping around and please correct me if I am wrong but looks like I can go into the /config and vim the bigip.conf.  I did a search in there for one of the old clients and I do see them there. I was thinking of removing the entry from that file.  I'm I correct or I shouldn't be messing around with that file?  Your thoughts

     

    Thank you!

    • zamroni777's avatar
      zamroni777
      Icon for Nacreous rankNacreous
      May 20, 2024

      editing config file can results in orphaned configuration and waives support services.

      i suggest that you open service ticket and let f5 support solves the problem

  • zamroni777's avatar
    zamroni777
    Icon for Nacreous rankNacreous
    May 20, 2024

    those certificates might still be used by ssl profiles.
    make sure the certs are not used by any ssl profiles before deletion.