I need to delete expired default.crt and default.key from LTM box. But it seems that certificate is being referenced somewhere else. I have removed the expired cert from below locations: - /config/ssl/ssl.crt/config/ssl/ssl.key/config/filestore/files_d/Common_d/certificate_d/config/filestore/files_d/Common_d/certificate_key_dchanged referenced default cert & key from profiles with the new one. Below is the output I am getting while removing cert & key: - admin@(seallb02)(cfg-sync In Sync)(Active)(/Common)(tmos) delete sys crypto cert default.crt 01071349:3: File object by name (/Common/default.crt) is in use. admin@(seallb02)(cfg-sync In Sync)(Active)(/Common)(tmos) delete sys crypto key default.key 01071349:3: File object by name (/Common/default.key) is in use. Any suggestions??

Try this command from cli. It should be able to tell you where it is referenced. tmsh show running-config recursive one-line | grep "default.crt" If possible post the output here.

I have checked this already, But its not referenced in any configuration: - [admin@LB:Active:In Sync] ~ tmsh show running-config recursive one-line | grep "default.crt" [admin@LB:Active:In Sync] ~ [admin@LB:Active:In Sync] ~ tmsh show running-config recursive one-line | grep "default.key" [admin@LB:Active:In Sync] ~

default.crt is a default object, because it is used in the templates, and therefore cannot be deleted. Your only option is to renew it. And based on your code you may also have to force an mcpd reload to get the device to recognize it correctly, after it is renewed. sol13030 Hope it helps!

Forum Discussion

Ganesh_Garg

Nimbostratus

Jul 29, 2015

Need to remove expired certifiate from LTM

I need to delete expired default.crt and default.key from LTM box. But it seems that certificate is being referenced somewhere else.

I have removed the expired cert from below locations: -

/config/ssl/ssl.crt
/config/ssl/ssl.key
/config/filestore/files_d/Common_d/certificate_d
/config/filestore/files_d/Common_d/certificate_key_d
changed referenced default cert & key from profiles with the new one.

Below is the output I am getting while removing cert & key: -

admin@(seallb02)(cfg-sync In Sync)(Active)(/Common)(tmos) delete sys crypto cert default.crt 01071349:3: File object by name (/Common/default.crt) is in use.

admin@(seallb02)(cfg-sync In Sync)(Active)(/Common)(tmos) delete sys crypto key default.key 01071349:3: File object by name (/Common/default.key) is in use.

Any suggestions??

8 Replies

skfads_167852
Nimbostratus
Jul 29, 2015
What is the version?
Ganesh_Garg
Nimbostratus
Jul 29, 2015
11.4.1 HF5
skfads_167852
Nimbostratus
Jul 29, 2015
Try this command from cli. It should be able to tell you where it is referenced.

tmsh show running-config recursive one-line | grep "default.crt"

If possible post the output here.
Ganesh_Garg
Nimbostratus
Jul 29, 2015
I have checked this already, But its not referenced in any configuration: -

[admin@LB:Active:In Sync] ~ tmsh show running-config recursive one-line | grep "default.crt"

[admin@LB:Active:In Sync] ~

[admin@LB:Active:In Sync] ~ tmsh show running-config recursive one-line | grep "default.key"

[admin@LB:Active:In Sync] ~
David__Pasch
Altostratus
Jul 29, 2015
default.crt is a default object, because it is used in the templates, and therefore cannot be deleted. Your only option is to renew it. And based on your code you may also have to force an mcpd reload to get the device to recognize it correctly, after it is renewed. sol13030 Hope it helps!
Ganesh_Garg
Nimbostratus
Jul 29, 2015
The problem here is, we have SSL certificate monitoring configured, and it is giving alerts as the certificate is expired. Is there any way I can stop monitoring of a specific certificate??
Ganesh_Garg
Nimbostratus
Jul 29, 2015
And the reason I cannot renew it because the certificate is using RSA-1024 key length. which is not a option for me to get it renewed with the same key length. the only key length option I have to use is RSA-2048
- HP1
  Nimbostratus
  Aug 22, 2016
  Did this get resolved? I'm assuming you had difficulty removing/deleting the default.crt because it's being referenced in the config, did you find any mentioning of it in bigip.conf file?