Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
10
Helpful
2
Replies

Deleting old certificates. Way to tell if they are being used or not?

Go to solution
ThePorthos
Level 1
Level 1

‎05-09-2019 07:44 AM

Hi All,

 

I am looking to clean up a bunch of old certificates off of our UCM servers. Is there a good way to tell which ones are actually being used by things and which ones are just sitting there? I know we use the tomcat stuff for example but I have like 5 CAPF ones, most of which are expired for example.

 

Any good ways to check what UCM is using currently?

 

Thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shalid Kurunnan Chalil
Spotlight
Spotlight

‎05-09-2019 08:37 AM

One of the available options is open the individual certificate (xxx.pem) by clicking on it and you can see the validity from and to. if the certificate To date is lower than current dates, you can remove these certificates. 

 

Validity From: Wed Nov 12 10:04:12 GMT 2014
To: Mon Nov 11 10:04:11 GMT 2019

 

You can also set up certificate expiry from RTMT- 

 

SyslogSeverityMatchFound generates whenever the certificate gets expired. if you read the logs you get the name of the certificate.  please be sure that Cisco Certificate Expiry Monitor and Cisco Certificate Change Notification are enabled on all servers. 

 

Regards,

Shalid 

View solution in original post

2 Replies 2

Go to solution
Shalid Kurunnan Chalil
Spotlight
Spotlight

‎05-09-2019 08:37 AM

One of the available options is open the individual certificate (xxx.pem) by clicking on it and you can see the validity from and to. if the certificate To date is lower than current dates, you can remove these certificates. 

 

Validity From: Wed Nov 12 10:04:12 GMT 2014
To: Mon Nov 11 10:04:11 GMT 2019

 

You can also set up certificate expiry from RTMT- 

 

SyslogSeverityMatchFound generates whenever the certificate gets expired. if you read the logs you get the name of the certificate.  please be sure that Cisco Certificate Expiry Monitor and Cisco Certificate Change Notification are enabled on all servers. 

 

Regards,

Shalid 

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎05-09-2019 09:24 AM

There is no easy way to find out if a certificate is being used or not, any certificate that is in the -trust store that is expired can be deleted as it won't work anymore. If they're from the same cluster, you'd need to regenerate the certificate in the server to get the new one. If they're from other cluster, servers, services, etc. you'd need to manually upload them.

HTH

java

if this helps, please rate
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents