cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17406
Views
10
Helpful
3
Replies

Delete Certificates Cisco ASA

Peter Long
Level 1
Level 1

Hi,

I can't find any syntax for removing single certs.

show crypto ca certificates

shows all the certificates in the ASA Crypto archive, for all the trust-points (of which there are three). But theres some old and unused certificates in there, I know removing the truspoint and recreating it will remove all the associated certificates, but is there a way to delete an individual certificate either by its serial number or some other method. 

Note: I've tried revoking the certs in the PKI (Windows certificate services), but that does not remove them either.

I know they are not doing any harm, but the client wants them removed.

 

Regards,

 

Pete

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Hi Pete,

Does this fit the bill for what you're asking?

ASA(config)# no crypto ca certificate chain ?

configure mode commands/options:
  WORD < 65 char  Trustpoint Name

 

HI Marvin,

 

I think that only lets you interact with trust points;

 

To enter certificate chain configuration mode for the indicated trustpoint, use the crypto ca certificate chain command in global configuration mode. To return to global configuration mode, use the no form of this command or use the exit command.

crypto ca certificate chain trustpoint
[no] crypto ca certificate chain trustpoint 

Peter Long
Level 1
Level 1

Follow Up:

OK you can delete a CA cert like so;

crypto ca certificate chain {Trustpointt}

no certificate ca {Certificate ID}

However, if you want to delete an identity cert then just do the same but drop the 'ca' keyword.

You will have a problem if this trustpoint is enrolled via SCEP/NDES, (as mine was).

And trying to change the trustpoint to 'enrolment terminal' wont help because you can't make a change to an authenticated trustpoint.

Before proceeding backup the trustpoint configurations.

So Im my case I had to remove the CA cert for this trustpoint (this automatically removes all the identity certs as well but that's OK).

Then re-autheticate to SCEP and get the CA cert back again. (Note: For some reason the firewall has lost its fqdn info from the truspoint, (setup in the config). I restored from earlier, but its only one line!

To get the CA Cert back;

crypto ca authenticate {Trustpoint}

Finally re-enroll with NDES/SCEP and you are good to go;

crypto ca enroll {Trustpoint}

 

Problem solved.

Pete

 

 

Review Cisco Networking for a $25 gift card