topic HI Marvin, I think that only in Network Security

Delete Certificates Cisco ASA

Peter Long — Tue, 12 Mar 2019 06:05:06 GMT

Hi,

I can't find any syntax for removing single certs.

show crypto ca certificates

shows all the certificates in the ASA Crypto archive, for all the trust-points (of which there are three). But theres some old and unused certificates in there, I know removing the truspoint and recreating it will remove all the associated certificates, but is there a way to delete an individual certificate either by its serial number or some other method.

Note: I've tried revoking the certs in the PKI (Windows certificate services), but that does not remove them either.

I know they are not doing any harm, but the client wants them removed.

Regards,

Pete

Hi Pete,

Marvin Rhoads — Thu, 11 Jun 2015 01:41:00 GMT

Hi Pete,

Does this fit the bill for what you're asking?

ASA(config)# no crypto ca certificate chain ?

configure mode commands/options:
  WORD < 65 char  Trustpoint Name

HI Marvin, I think that only

Peter Long — Thu, 11 Jun 2015 07:07:09 GMT

HI Marvin,

I think that only lets you interact with trust points;

To enter certificate chain configuration mode for the indicated trustpoint, use the crypto ca certificate chain command in global configuration mode. To return to global configuration mode, use the no form of this command or use the exit command.

crypto ca certificate chain trustpoint
[no] crypto ca certificate chain trustpoint

Follow Up:OK you can delete a

Peter Long — Fri, 12 Jun 2015 09:17:19 GMT

Follow Up:

OK you can delete a CA cert like so;

crypto ca certificate chain {Trustpointt}

no certificate ca {Certificate ID}

However, if you want to delete an identity cert then just do the same but drop the 'ca' keyword.

You will have a problem if this trustpoint is enrolled via SCEP/NDES, (as mine was).

And trying to change the trustpoint to 'enrolment terminal' wont help because you can't make a change to an authenticated trustpoint.

Before proceeding backup the trustpoint configurations.

So Im my case I had to remove the CA cert for this trustpoint (this automatically removes all the identity certs as well but that's OK).

Then re-autheticate to SCEP and get the CA cert back again. (Note: For some reason the firewall has lost its fqdn info from the truspoint, (setup in the config). I restored from earlier, but its only one line!

To get the CA Cert back;

crypto ca authenticate {Trustpoint}

Finally re-enroll with NDES/SCEP and you are good to go;

crypto ca enroll {Trustpoint}

Problem solved.

Pete