cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
429
Views
10
Helpful
2
Replies
ThePorthos
Beginner

Deleting old certificates. Way to tell if they are being used or not?

Hi All,

 

I am looking to clean up a bunch of old certificates off of our UCM servers. Is there a good way to tell which ones are actually being used by things and which ones are just sitting there? I know we use the tomcat stuff for example but I have like 5 CAPF ones, most of which are expired for example.

 

Any good ways to check what UCM is using currently?

 

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions

One of the available options is open the individual certificate (xxx.pem) by clicking on it and you can see the validity from and to. if the certificate To date is lower than current dates, you can remove these certificates. 

 

Validity From: Wed Nov 12 10:04:12 GMT 2014
To: Mon Nov 11 10:04:11 GMT 2019

 

You can also set up certificate expiry from RTMT- 

 

SyslogSeverityMatchFound generates whenever the certificate gets expired. if you read the logs you get the name of the certificate.  please be sure that Cisco Certificate Expiry Monitor and Cisco Certificate Change Notification are enabled on all servers. 

 

Regards,

Shalid 

View solution in original post

2 REPLIES 2

One of the available options is open the individual certificate (xxx.pem) by clicking on it and you can see the validity from and to. if the certificate To date is lower than current dates, you can remove these certificates. 

 

Validity From: Wed Nov 12 10:04:12 GMT 2014
To: Mon Nov 11 10:04:11 GMT 2019

 

You can also set up certificate expiry from RTMT- 

 

SyslogSeverityMatchFound generates whenever the certificate gets expired. if you read the logs you get the name of the certificate.  please be sure that Cisco Certificate Expiry Monitor and Cisco Certificate Change Notification are enabled on all servers. 

 

Regards,

Shalid 

View solution in original post

Jaime Valencia
Hall of Fame Cisco Employee

There is no easy way to find out if a certificate is being used or not, any certificate that is in the -trust store that is expired can be deleted as it won't work anymore. If they're from the same cluster, you'd need to regenerate the certificate in the server to get the new one. If they're from other cluster, servers, services, etc. you'd need to manually upload them.

HTH

java

if this helps, please rate
Content for Community-Ad

Spotlight Awards 2021