Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16738
Views
10
Helpful
3
Replies

Delete Certificates Cisco ASA

Peter Long
Level 1
Level 1

‎06-10-2015 03:28 AM - edited ‎03-11-2019 11:05 PM

Hi,

I can't find any syntax for removing single certs.

show crypto ca certificates

shows all the certificates in the ASA Crypto archive, for all the trust-points (of which there are three). But theres some old and unused certificates in there, I know removing the truspoint and recreating it will remove all the associated certificates, but is there a way to delete an individual certificate either by its serial number or some other method. 

Note: I've tried revoking the certs in the PKI (Windows certificate services), but that does not remove them either.

I know they are not doing any harm, but the client wants them removed.

 

Regards,

 

Pete

1 person had this problem
Labels:
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-10-2015 06:41 PM

Hi Pete,

Does this fit the bill for what you're asking?

ASA(config)# no crypto ca certificate chain ?

configure mode commands/options:
  WORD < 65 char  Trustpoint Name

 

0 Helpful

Peter Long
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2015 12:07 AM

HI Marvin,

 

I think that only lets you interact with trust points;

 

To enter certificate chain configuration mode for the indicated trustpoint, use the crypto ca certificate chain command in global configuration mode. To return to global configuration mode, use the no form of this command or use the exit command.

crypto ca certificate chain trustpoint
[no] crypto ca certificate chain trustpoint 

0 Helpful

Peter Long
Level 1
Level 1

‎06-12-2015 02:17 AM

Follow Up:

OK you can delete a CA cert like so;

crypto ca certificate chain {Trustpointt}

no certificate ca {Certificate ID}

However, if you want to delete an identity cert then just do the same but drop the 'ca' keyword.

You will have a problem if this trustpoint is enrolled via SCEP/NDES, (as mine was).

And trying to change the trustpoint to 'enrolment terminal' wont help because you can't make a change to an authenticated trustpoint.

Before proceeding backup the trustpoint configurations.

So Im my case I had to remove the CA cert for this trustpoint (this automatically removes all the identity certs as well but that's OK).

Then re-autheticate to SCEP and get the CA cert back again. (Note: For some reason the firewall has lost its fqdn info from the truspoint, (setup in the config). I restored from earlier, but its only one line!

To get the CA Cert back;

crypto ca authenticate {Trustpoint}

Finally re-enroll with NDES/SCEP and you are good to go;

crypto ca enroll {Trustpoint}

 

Problem solved.

Pete

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card