Error Deleting Certificate on PAN-OS - ssl-decrypt -> trusted-root-CA

Printer Friendly Page

Issue

When attempting to delete a certificate that is used for SSL Decryption, even if not in use anywhere in the configuration, the following error appears:

Error deleting Certificate

Number of failed record(s): 1

    1- Failed to delete Certificate - tester3.

  ° tester3 cannot be deleted because of references from:

  ° ssl-decrypt -> trusted-root-CA

del-cert2.JPG.jpg

 

Cause

The certificate that is to be deleted has been designated as a Trusted Root CA. With the "Trusted Root CA" option selected, the Palo Alto Networks device will not allow you to delete the certificate, even if it is not used in the configuration. When a certificate is marked as "Trusted root CA", the device will attempt to use it in conjunction with the SSL Decrypt configuration, even though SSL Decryption is not being used.

 

Resolution

Uncheck "Trusted Root CA" from the certificate in question. This should allow you to delete the certificate, as long as it is not in use anywhere in the configuration.

del-cert.JPG.jpg

 

owner: jdelio

Comments

Hello, I'm having this issue with a CA cert that I created for SSL Decryption, it's not used for SSL Decryption right now and doesn't have the forward-trust-certificate and forward-untrust-certificate boxes or the Trusted Root CA boxes checked. How do I get rid of it? Thanks.

Here is what I get:

     1- Failed to delete Certificate - SSL-Decrypt.

  ° SSL-Decrypt cannot be deleted because of references from:

  ° shared -> ssl-decrypt -> forward-trust-certificate

  ° shared -> ssl-decrypt -> forward-untrust-certificate

PANOS 6.1.2

Please provide a screenshot of the cert properties.

I have this error on 8.0.0.

 

I can not uncheck "Trusted Root CA" as that option is ghosted out.

I am not using SSL Decryption. I can not figure out what is mandating the certificate to be Root CA.

@dannyman, when it comes to unchecking that option.. I have a couple of questions..

1. Is the certificate currently in use in any config?

2. What certificate are you trying to modify? Did you create it/import it? 

 

1) How can I tell? I was trying to set up GlobalProtect, but I can not find where that might reference this. And I would like the admin interface to use the cert to host SSL, but I can not find where to configure that, so the admin interface is running with a self-signed "localhost" cert. If I do "global find" I find the certificate I am trying to delete.

2) Device > Certificate Management > Certificates > Device Certificates ... it is our *.company.com imported via SSLmate.

 

In trying to get the admin interface to do proper https with a valid SSL cert, I realized that I might instead need the *.subdomain.company.com cert, so I figured I should remove the other one if I am not using it, but I am told that I am using it somehow.

@dannyman, If you want to know if the certificate is being used anywhere, you will need to get into the WebGUI > Device > Certificate Management > Certificates

Inside there you need to hover over the certificate name, look for the drop down option, click it then look for "Global Find". This will attempt to look through your entire config for this certificate.  It should show it if is being used anywhere. Then you should be able to go there and unselect it if it is being used, and then once it is unused, you should be able to remove it. (Try to choose the option to uncheck "Trusted Root CA" first).

 

I hope this helps.

@dannyman

@jdelio

 

I ran into this as well, with a wildcard cert too.  This is what I did to fix it.  I ran a putty session to the firewall and ran this command:

 

show shared ssl-decrypt

 

it should show you all of your certificates who have some form or fashion of being associated with ssl-decrypt.  I was not able to do the uncheckbox on my wildcard cert in the gui, so I had to run this command from the CLI to get it removed:

 

delete shared ssl-decrypt trusted-root-CA 123Test  (where 123Test was the name of the cert in question)

 

After I did that, I was able to remove the certificate from the GUI without issue.

 

Of course this was for my setup, yours could be different..

This solution resolved my issue, where the certificate that needed to be deleted was expired and was unable to deselect Trusted Root CA.