Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1613
Views
5
Helpful
4
Replies

How to delete an expired Default Portal Certificate without Plus License?

Go to solution
Arne Bier
VIP
VIP

‎08-12-2018 07:12 PM

Hello

 

The Default Portal Certificate Group uses the 1 year self-signed certificate by default, and this cert has long since expired.  I have a customer who doesn't use portals at all.  But the self signed cert has expired and they want to delete it. 

  

I have created a new Portal certificate and then assigned all the Guest/Sponsor portals to the new cert.  But ISE doesn't let me unlink the old cert from the Blacklist, Cert/Client  Provision portals, and therefore I cannot delete the expired cert!!!  Customer only has Base license - no Plus license :(

 

This seems like a design flaw to me.

Do I need to open a TAC case, get a temp Plus license to unlock the menu items to allow me to make the portal changes?

 

 

 

Cert.png

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Arne Bier

‎08-12-2018 08:59 PM

I believe you can still just request a 90 day eval cert and install it to get Plus licensing.  Make a 15 year self-signed cert and assign it to the default portal.  I make a 15 year self-signed cert for SAML on all my deployments because you can't delete that cert and most customers never use it.

View solution in original post

4 Replies 4

Go to solution
Cory Peterson
Level 5
Level 5

‎08-12-2018 07:29 PM - edited ‎08-12-2018 07:29 PM

When you import the cert it lets you select which portals to assign it to. Will it let you select those portals when you do the cert import?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Cory Peterson

‎08-12-2018 08:08 PM

Hi Cory

 

you're right.  I forgot to mention that I have two nodes.  When I create a new self-signed cert for Portal role, I created a new Portal Group "e.g. portals" and assigned the new cert to it.  On node 1 it worked and I could delete the cert.  But on node 2 it didn't.  

I have seen this before but in that case I had eval/Plus license in order to manipulate the "BYOD portals".

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Arne Bier

‎08-12-2018 08:59 PM

I believe you can still just request a 90 day eval cert and install it to get Plus licensing.  Make a 15 year self-signed cert and assign it to the default portal.  I make a 15 year self-signed cert for SAML on all my deployments because you can't delete that cert and most customers never use it.

Go to solution
Arne Bier
VIP
VIP
In response to paul

‎08-13-2018 02:42 AM

Hi Paul

 

I do the same - I call it preventative housekeeping.  I chose 10 years instead of 15 - but principle is the same.  Prevention is better than cure :)  I don't want my customers to have these red icons hanging around, or to get into a habit of ignoring warnings.

I'll request a Plus eval and see how it goes.  Thanks for the tip!

 

0 Helpful
Customers Also Viewed These Support Documents