Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
3
Helpful
3
Replies

ASA: Unable to delete a expired identity certificate from an interface

swscco001
Level 3
Level 3

‎03-21-2025 06:13 AM

Hello everybody,

our customer has a ASAv runnig rel. 9.16(1)28.

Our monitoring has send an error message that an expired
identity certificate (see screen dump attached) is still
in the configuration.

I tried to delete it from the interfaces within the ASDM
to be able to delete from the configration

It was not possible.

The currently valid certificate is the primary certificate
but in the overview I see two further certificates in the
ASDM (see screen dump attached) and I don't see a possibility
to delete the expired certificate (see screen dump attached).

Is there a possibility to delete the expired certificate
within the ASDM and if yes where?

If it is not possible within the ASDM how can I perform this
on the CLI?

I have attached the 'sh run' output.

Thanks a lot!

 


Bye
R.

Preview file
230 KB
Preview file
74 KB
Preview file
381 KB
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎03-21-2025 07:01 AM

You cannot delete a certificate while it is being referenced/used in the configuration. Based on the information that you shared, the certificate that you are trying to delete is associated with the "SSL_2024" trustpoint. This trustpoint appears to be used for an IKEv2 remote-access VPN. As a result, a new certificate will need to be provisioned and associated with that trustpoint before you can delete the existing (expired) certificate. 

Thank you for rating helpful posts!

swscco001
Level 3
Level 3
In response to nspasov

‎03-26-2025 05:54 AM

Hi nspasov,

thanks for your reply!

I understand that I cannot delete a certificate that is currently in use.

On both interfaces the valid certificate with trustpoint ASDM_TrustPoint4 is
assigned (see attached screen Dump).

I think you point on the configuration statement:
...
crypto ikev2 remote-access trustpoint SSL_2024
...
But on this ASA there is no IKEv2 remote-access VPN configured,
just SSL remote-access VPN (see attached screen Dump).

Could it be a solution to delete this command or replace it with?:
...
crypto ikev2 remote-access trustpoint ASDM_TrustPoint4
...

So I should be able to delete the expired certificate with the
trustpoint SSL_2024 perhaps.

Thanks a lot!

Preview file
136 KB
Preview file
285 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎03-26-2025 07:00 AM

You basically need to address the dependancies before you can remove the expired certificate. If the configurations are no longer needed then you can remove them. If the configurations are still needed then you will need to replace the certificate 1st before you will have the ability to delete it. 

Thank you for rating helpful posts!

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card