https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/247020#M70316 <P>I expereinced something similar, not sure if it's exactly the same.&nbsp; I think if you do a bug scrub there was a bug-id identified for this.</P><P>&nbsp;</P><P>I opened a case a while back on this topic:</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Here are the relevant case notes (<SPAN>00935485 - 7/16/2018&nbsp;- PAN-OS 8.0.10 (at the time))</SPAN>:</P><P>&nbsp;</P><P><SPAN>"Thank you for the time spent on the zoom session today. Below is the summary:</SPAN><BR /><BR /><BR /><BR /><SPAN>We checked via GUI and we do not see the two CSRs under &lt;XXX&gt;RootCA</SPAN><BR /><SPAN>We loaded older config from July 5th from when the CSRs were generated, and we saw them in the XML file</SPAN><BR /><SPAN>We loaded yesterday's config(596) and that one had the CSRs too</SPAN><BR /><SPAN>We checked current config via CLI, and the CSRs are not there</SPAN><BR /><SPAN>We tried generating a bogus CSR, and that showed up in GUI correctly</SPAN><BR /><SPAN>You mentioned to just go ahead with generating the CSRs again, and we see both showed up correctly today.</SPAN><BR /><BR /><BR /><SPAN>As discussed, I will now close the case."</SPAN></P> Tue, 22 Jan 2019 19:36:05 GMT Brandon_Wertz 2019-01-22T19:36:05Z https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/246939#M70295 <P>Hi,</P><P>&nbsp;</P><P>Im having a weird issue in Palo Alto. First of all, we dont have vsys configured but in the confgi we can see the field &lt;vsys&gt; and many config in it.</P><P>Basically whn we run a commit we receive a warning about "certificate duplicate". We go to devices-&gt; certificates and we can only see one certificate with that CN. But if we check the .xml config we can see this certificate in the partition SHARE and VSYS1. so what is happening that? how can delete the nonuse certificate?</P> Tue, 22 Jan 2019 11:29:01 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/246939#M70295 BigPalo 2019-01-22T11:29:01Z https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/246992#M70312 <P>Have you imported the configuration from somewhere else, mainly from the Migration tool?</P><P>&nbsp;</P><P>I had something similar when I was working on one migration and had config imported from the Migration tool. I had dublicated object issues (not the certificates). In the GUI there was only one object, but under the xml config there were actually two completely identical.</P><P>&nbsp;</P><P>If you have the certificate backup (the private and the public). I would suggest you to:</P><P>- Remove the certificate, just form the GUI, select it and delete it<BR />- Commit<BR />- Import back the cert.</P><P>&nbsp;</P><P>The other way would probably be to review xml file, delete the dublicate entry for the certificate, by hand and import it back to the fw. But I believe if you do it via the GUI, it will delete everything (both entries) and then you can import it once again.</P> Tue, 22 Jan 2019 17:39:02 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/246992#M70312 A_Astardzhiev 2019-01-22T17:39:02Z https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/247018#M70315 <P>You should also be able to delete it from CLI. Run "show shared certificate ?" and you should be able to see both certificates. Run "delete shared certificate &lt;cert name&gt;" to delete it. That would be easier than editing the XML file.</P> Tue, 22 Jan 2019 19:09:41 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/247018#M70315 tcarlisle-ksa 2019-01-22T19:09:41Z https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/247020#M70316 <P>I expereinced something similar, not sure if it's exactly the same.&nbsp; I think if you do a bug scrub there was a bug-id identified for this.</P><P>&nbsp;</P><P>I opened a case a while back on this topic:</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Here are the relevant case notes (<SPAN>00935485 - 7/16/2018&nbsp;- PAN-OS 8.0.10 (at the time))</SPAN>:</P><P>&nbsp;</P><P><SPAN>"Thank you for the time spent on the zoom session today. Below is the summary:</SPAN><BR /><BR /><BR /><BR /><SPAN>We checked via GUI and we do not see the two CSRs under &lt;XXX&gt;RootCA</SPAN><BR /><SPAN>We loaded older config from July 5th from when the CSRs were generated, and we saw them in the XML file</SPAN><BR /><SPAN>We loaded yesterday's config(596) and that one had the CSRs too</SPAN><BR /><SPAN>We checked current config via CLI, and the CSRs are not there</SPAN><BR /><SPAN>We tried generating a bogus CSR, and that showed up in GUI correctly</SPAN><BR /><SPAN>You mentioned to just go ahead with generating the CSRs again, and we see both showed up correctly today.</SPAN><BR /><BR /><BR /><SPAN>As discussed, I will now close the case."</SPAN></P> Tue, 22 Jan 2019 19:36:05 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-can-not-be-deleted/m-p/247020#M70316 Brandon_Wertz 2019-01-22T19:36:05Z