https://live.paloaltonetworks.com/t5/general-topics/failed-to-delete-certificate-due-to-references-but-i-don-t-want/m-p/412184#M92827 <P>Hello,</P> <P>my current GlobalProtect portal/gateway certificate is expiring soon so I had our 3rd party CA create a new one with the same name.&nbsp; In Panorama under templates/device/certificates, I uploaded the new cert with a temporary name (ex. expiring cert name is foobar.net so I uploaded the new cert as new_foobar.net).&nbsp; Now I want to delete the expiring foobar.net and rename new_foobar.net to foobar.net.&nbsp; If I don't name it the same, I'll have to find everywhere it is referenced and change it multiple times.&nbsp; The problem is that when I go to delete the expiring cert, I get the familiar "foobar.net cannot be deleted because of references from: ..."</P> <P>Anyone know a way to get around this?</P> <P>Thanks,</P> <P>&nbsp;</P> Wed, 09 Jun 2021 19:02:09 GMT Joni_Larned 2021-06-09T19:02:09Z https://live.paloaltonetworks.com/t5/general-topics/failed-to-delete-certificate-due-to-references-but-i-don-t-want/m-p/412184#M92827 <P>Hello,</P> <P>my current GlobalProtect portal/gateway certificate is expiring soon so I had our 3rd party CA create a new one with the same name.&nbsp; In Panorama under templates/device/certificates, I uploaded the new cert with a temporary name (ex. expiring cert name is foobar.net so I uploaded the new cert as new_foobar.net).&nbsp; Now I want to delete the expiring foobar.net and rename new_foobar.net to foobar.net.&nbsp; If I don't name it the same, I'll have to find everywhere it is referenced and change it multiple times.&nbsp; The problem is that when I go to delete the expiring cert, I get the familiar "foobar.net cannot be deleted because of references from: ..."</P> <P>Anyone know a way to get around this?</P> <P>Thanks,</P> <P>&nbsp;</P> Wed, 09 Jun 2021 19:02:09 GMT https://live.paloaltonetworks.com/t5/general-topics/failed-to-delete-certificate-due-to-references-but-i-don-t-want/m-p/412184#M92827 Joni_Larned 2021-06-09T19:02:09Z https://live.paloaltonetworks.com/t5/general-topics/failed-to-delete-certificate-due-to-references-but-i-don-t-want/m-p/412754#M92873 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/182422">@Joni_Larned</a> ,</P><P>&nbsp;</P><P>This is the whole purpose of "SSL/TLS Service Profile".</P><P>-&nbsp; You select a certificate in the service profile and use this profile everywher you need.</P><P>- When you need to renew/change the certificate you change it only in the service profile, which apply to all locations where this profile is being used.</P><P>&nbsp;</P><P>In addition - you cannot refrence certificate anywhere except ssl/tls service profile. So you don't have to worrie that you need to change the certificate anywhere else.</P><P>&nbsp;</P><P>So what you need to do is:</P><P>- Find the ssl/tls service profile which is using the certificate that needs to be replaced</P><P>- Edit it and select from the dropdown your new certificate</P><P>- Commit and push config</P><P>- You should be able to old ceritifcate now</P><P>- (optional) now you can renew your new cert (removing "new_") name. This should automaticaly reflect in the service profile, but you can go and doublecheck if profile is using the update name. Commit and push to have it on the FW.</P> Sat, 12 Jun 2021 20:14:31 GMT https://live.paloaltonetworks.com/t5/general-topics/failed-to-delete-certificate-due-to-references-but-i-don-t-want/m-p/412754#M92873 aleksandar.astardzhiev 2021-06-12T20:14:31Z