Duplicate Certificate Subject Found

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Duplicate Certificate Subject Found

L4 Transporter

Screenshot_2.pngHi all

Cant get rid off this warning.we have deleted all duplicate certificates but couldnt get out of this warning when commit something

16 REPLIES 16

L7 Applicator

is this a wildcard cert...

 

it may be that you have a wild cart cert for *.fred.smiff.com and also a cert for just smiff.com.

no cancel that... obviously that would apply to all ".com" certs...

 

I did have a similar issue with licensing, tried to add new and told already activated, although it had been removed..

 

had to go via cli to remove it as not showing in GUI.

 

you could view all installed certs  with one of the options under :-

 

show sslmgr-store

 

 

Yes it is wildcart cert
Can you please give me instructions how to solve it?

@Radmin_85,

Once you've commit the configuration to ensure that any removals you've made have actually taken place, take a look at the certificate store and see if any of your listed certificates happen to have the same CN. 

If it doesn't show up in the GUI I would verify with the 'show sslmgr-store config-ca-certificate' command that you don't have a stale cert hiding in the config. 

 

 

hello if you found the duplicate cert with the command show sslmgr-store config-ca-certificate, how can you delete the stale cert hiding in the config?

 

@Marivi,Good point...

 

I would have thought "delete sslmgr-store config-ca-certificate <certificate name>

 

but i thought wrong...

 

I can only see this option in "configure" mode but that's for web-server, forward-trust and forward-untrust.

 

Have you found a duplicate hidden cert or just asking?

I have found a duplicate hidden, i have done  >debug dataplane reset ssl-decrypt certificate-cache but this don't fix the problem, I have found next command  > debug sslmgr delete crl all which do the same in management plane. I will inform you if the second command fix the problems... thank you for you fast answer

@Marivi

 

try this...

 

configure

 

delete shared ssl-decrypt trusted-root-ca ?

delete shared ssl-decrypt trusted-root-ca <certificate name>

no good...

 

no object to delete in delete handler

OK...

 

configure

 

delete shared certificate ?

delete shared certificate <certificate name>

 

 

works for me.....

L1 Bithead

I met the same issue, but found a problem in Network > Global Protect > Portals > GlobalProtect Portal Configuration > Agent > TrustedRoot CA. There was a certificate, whos CN duplicated the other one. But that certificate wasn't in the Certificates list in Certificates management.

 

Hope it will help somebody.

L0 Member

Hi,

Hoping to revive this thread, I'm having the exact same issue.


Certificates visible with 'show sslmgr-store config-ca-certificate' and under 'Network > GlobalProtect > Portals' and under Agent Configuration and the Dropdown menu for Trusted Root CA. But nowhere else...

 

I've tried everything I can think of, the certificate is not available under the delete and debug commands, even in configuration mode.

I'm currently on release 9.0.x but I don't think this is associated with a particular release.

 

Did anyone find a solution for this?

 

I'm also having the exact same issue and on 9.0.x 

 

This is a problem.

L0 Member

I'm also having this problem but running version 8.1.14.

 

This problem started when a certificate expired. I selected the certificate and tried to renew it, but the firewall gave an error message saying that it could not read the certificate. I later made another certificate, with the intent of configuring it into the place of the expired certificate, with the same IP address. Just for fun, I tried renewing the certificate and it successfully renewed it.

 

I deleted the freshly created certificate that was still unused, but started receiving the error on commits. The certificate exists in some form in the GUI (provided for an option for GlobalProtect TrustedRootCA), but does not exist in Device > Certificate > Certificate management.

 

It exists in the CLI as well, but I'm unsure of the command to delete the certificate.

Help appreciated!

  • 15851 Views
  • 16 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!