Im having a weird issue in Palo Alto. First of all, we dont have vsys configured but in the confgi we can see the field <vsys> and many config in it.
Basically whn we run a commit we receive a warning about "certificate duplicate". We go to devices-> certificates and we can only see one certificate with that CN. But if we check the .xml config we can see this certificate in the partition SHARE and VSYS1. so what is happening that? how can delete the nonuse certificate?
Have you imported the configuration from somewhere else, mainly from the Migration tool?
I had something similar when I was working on one migration and had config imported from the Migration tool. I had dublicated object issues (not the certificates). In the GUI there was only one object, but under the xml config there were actually two completely identical.
If you have the certificate backup (the private and the public). I would suggest you to:
- Remove the certificate, just form the GUI, select it and delete it
- Import back the cert.
The other way would probably be to review xml file, delete the dublicate entry for the certificate, by hand and import it back to the fw. But I believe if you do it via the GUI, it will delete everything (both entries) and then you can import it once again.
You should also be able to delete it from CLI. Run "show shared certificate ?" and you should be able to see both certificates. Run "delete shared certificate <cert name>" to delete it. That would be easier than editing the XML file.
I expereinced something similar, not sure if it's exactly the same. I think if you do a bug scrub there was a bug-id identified for this.
I opened a case a while back on this topic:
Here are the relevant case notes (00935485 - 7/16/2018 - PAN-OS 8.0.10 (at the time)):
"Thank you for the time spent on the zoom session today. Below is the summary:
We checked via GUI and we do not see the two CSRs under <XXX>RootCA
We loaded older config from July 5th from when the CSRs were generated, and we saw them in the XML file
We loaded yesterday's config(596) and that one had the CSRs too
We checked current config via CLI, and the CSRs are not there
We tried generating a bogus CSR, and that showed up in GUI correctly
You mentioned to just go ahead with generating the CSRs again, and we see both showed up correctly today.
As discussed, I will now close the case."
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!