I need to delete expired default.crt and default.key from LTM box. But it seems that certificate is being referenced somewhere else. I have removed the expired cert from below locations: - /config/ssl/ssl.crt/config/ssl/ssl.key/config/filestore/files_d/Common_d/certificate_d/config/filestore/files_d/Common_d/certificate_key_dchanged referenced default cert & key from profiles with the new one. Below is the output I am getting while removing cert & key: - admin@(seallb02)(cfg-sync In Sync)(Active)(/Common)(tmos) delete sys crypto cert default.crt 01071349:3: File object by name (/Common/default.crt) is in use. admin@(seallb02)(cfg-sync In Sync)(Active)(/Common)(tmos) delete sys crypto key default.key 01071349:3: File object by name (/Common/default.key) is in use. Any suggestions??

Try this command from cli. It should be able to tell you where it is referenced. tmsh show running-config recursive one-line | grep "default.crt" If possible post the output here.

I have checked this already, But its not referenced in any configuration: - [admin@LB:Active:In Sync] ~ tmsh show running-config recursive one-line | grep "default.crt" [admin@LB:Active:In Sync] ~ [admin@LB:Active:In Sync] ~ tmsh show running-config recursive one-line | grep "default.key" [admin@LB:Active:In Sync] ~

default.crt is a default object, because it is used in the templates, and therefore cannot be deleted. Your only option is to renew it. And based on your code you may also have to force an mcpd reload to get the device to recognize it correctly, after it is renewed. sol13030 Hope it helps!

Need to remove expired certifiate from LTM

8 Replies

skfads_167852
Nimbostratus
Jul 29, 2015
What is the version?
Ganesh_Garg
Nimbostratus
Jul 29, 2015
11.4.1 HF5
skfads_167852
Nimbostratus
Jul 29, 2015
Try this command from cli. It should be able to tell you where it is referenced.

tmsh show running-config recursive one-line | grep "default.crt"

If possible post the output here.
Ganesh_Garg
Nimbostratus
Jul 29, 2015
I have checked this already, But its not referenced in any configuration: -

[admin@LB:Active:In Sync] ~ tmsh show running-config recursive one-line | grep "default.crt"

[admin@LB:Active:In Sync] ~

[admin@LB:Active:In Sync] ~ tmsh show running-config recursive one-line | grep "default.key"

[admin@LB:Active:In Sync] ~
David__Pasch
Altostratus
Jul 29, 2015
default.crt is a default object, because it is used in the templates, and therefore cannot be deleted. Your only option is to renew it. And based on your code you may also have to force an mcpd reload to get the device to recognize it correctly, after it is renewed. sol13030 Hope it helps!
Ganesh_Garg
Nimbostratus
Jul 29, 2015
The problem here is, we have SSL certificate monitoring configured, and it is giving alerts as the certificate is expired. Is there any way I can stop monitoring of a specific certificate??
Ganesh_Garg
Nimbostratus
Jul 29, 2015
And the reason I cannot renew it because the certificate is using RSA-1024 key length. which is not a option for me to get it renewed with the same key length. the only key length option I have to use is RSA-2048
- HP1
  Nimbostratus
  Aug 22, 2016
  Did this get resolved? I'm assuming you had difficulty removing/deleting the default.crt because it's being referenced in the config, did you find any mentioning of it in bigip.conf file?

Forum Discussion

Need to remove expired certifiate from LTM

8 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Certified Kubernetes Administrator - Study Group

F5 Certified Practice Exams

Re: Becoming F5 Certified - BIG-IP Administrator Certification - 101 & 201 Exams

LTM Certificate expire

Expired ssl warning