06-10-2015 03:28 AM - edited 03-11-2019 11:05 PM
Hi,
I can't find any syntax for removing single certs.
show crypto ca certificates
shows all the certificates in the ASA Crypto archive, for all the trust-points (of which there are three). But theres some old and unused certificates in there, I know removing the truspoint and recreating it will remove all the associated certificates, but is there a way to delete an individual certificate either by its serial number or some other method.
Note: I've tried revoking the certs in the PKI (Windows certificate services), but that does not remove them either.
I know they are not doing any harm, but the client wants them removed.
Regards,
Pete
06-10-2015 06:41 PM
Hi Pete,
Does this fit the bill for what you're asking?
ASA(config)# no crypto ca certificate chain ? configure mode commands/options: WORD < 65 char Trustpoint Name
06-11-2015 12:07 AM
HI Marvin,
I think that only lets you interact with trust points;
To enter certificate chain configuration mode for the indicated trustpoint, use the crypto ca certificate chain command in global configuration mode. To return to global configuration mode, use the no form of this command or use the exit command.
crypto ca certificate chain trustpoint
[no] crypto ca certificate chain trustpoint
06-12-2015 02:17 AM
Follow Up:
OK you can delete a CA cert like so;
crypto ca certificate chain {Trustpointt}
no certificate ca {Certificate ID}
However, if you want to delete an identity cert then just do the same but drop the 'ca' keyword.
You will have a problem if this trustpoint is enrolled via SCEP/NDES, (as mine was).
And trying to change the trustpoint to 'enrolment terminal' wont help because you can't make a change to an authenticated trustpoint.
Before proceeding backup the trustpoint configurations.
So Im my case I had to remove the CA cert for this trustpoint (this automatically removes all the identity certs as well but that's OK).
Then re-autheticate to SCEP and get the CA cert back again. (Note: For some reason the firewall has lost its fqdn info from the truspoint, (setup in the config). I restored from earlier, but its only one line!
To get the CA Cert back;
crypto ca authenticate {Trustpoint}
Finally re-enroll with NDES/SCEP and you are good to go;
crypto ca enroll {Trustpoint}
Problem solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide