Jump to content
Welcome to our new Citrix community!

Unable to remove expired certificate from Netscaler 12.1.49.23.nc


Rob Ward1709152984

Recommended Posts

The error I am receiving is 

 

Certificate is referenced by a CRL, OCSP responder, vserver, service, monitor, SSL profile, another certificate, or a policy expression using XML_ENCRYPT() or XML_DECRYPT()

 

I am unable to find any reference to the certificate when doing a sh ns running except for the add ssl certKey Section.

 

I have restarted the Netscaler (did see a reference to this) but this did not allow the certificate to be removed.

 

Any Ideas?

Many Thanks

Rob

 

Link to comment
Share on other sites

20 hours ago, Rob Ward1709152984 said:

The error I am receiving is 

 

Certificate is referenced by a CRL, OCSP responder, vserver, service, monitor, SSL profile, another certificate, or a policy expression using XML_ENCRYPT() or XML_DECRYPT()

 

I am unable to find any reference to the certificate when doing a sh ns running except for the add ssl certKey Section.

 

I have restarted the Netscaler (did see a reference to this) but this did not allow the certificate to be removed.

 

Any Ideas?

Many Thanks

Rob

 

 

Try highlighting the certificate key pair and click show bindings that should tell you where the certificate is being referenced.

Link to comment
Share on other sites

  • 2 weeks later...

Your original post indicated that the cert key WAS in use ("except for the add ssl certKey Section").... If it is NOT in use, then this could be "yet another GUI problem" :-( 

 

When you say "Unable to remove expired certificate" what are you trying to do, and how are you trying to do it?

- removing the cert and key files via the GUI

- removing the cert and key files via a CLI session

- trying to remove the certkey object via GUI? CLI?

- are you trying to be cheeky, and swap out an old cert file for a new cert file, whilst leaving the CertKey in place?

 

There's several ways to update an expired certificate. One is to use the "update cert" option, which works well if the intermediate cert doesn't change. Otherwise, I just tend to upload the cert with a different name ("mycert.cert.2019"), create a new certkey, then unbind the old one/ bind the new one (and then use the CLI to remove any old files)

Link to comment
Share on other sites

Paul,

 

'Cert key WAS in use' the part referenced was from a dump of the Netscaler config, which I assume on reboot gets applied, the cert is not applied to any VS,CS or anything else.

I tried removing the key using the GUI only. Have not tried cli yet.

I also tried updating the certificate but that failed, due I believe to a different password on the new Cert.

I did try to upload the cert with a new name (that did not exist)  but it said it already existed, I assumed (should I do that?) that this referred to the actual certificate subject name i.e. mycert.domain.com

 

So still trying to get shut of the old certificate.

 

Many thanks for your response and open to suggestions ( I will try CLI).

 

Regards

 

Rob

 

 

Link to comment
Share on other sites

I get a similar error from the command line:

rm ssl certkey TKI
ERROR: Certificate is referenced by a CRL, OCSP responder, vserver, service, monitor, SSL profile, another certificate, or a policy expression using XML_ENCRYPT() or XML_DECRYPT()

 

Doing a show certkey I get:

 

show certkey TKI
    Name: TKI        Status: -->Expired<--
    Version: 3
    Serial Number: 2D5DD0F8xxxx7BAB09D626xxxx6757F42B699D
    Signature Algorithm: sha256WithRSAEncryption
    Issuer:  C=BM,O=QuoVadis Limited,CN=QuoVadis Global SSL ICA G2
    Validity
        Not Before: Nov 23 07:17:39 2015 GMT
        Not After : Nov 23 07:17:36 2018 GMT
    Certificate Type:    "Client Certificate"    "Server Certificate"
    Subject:  C=AU,ST=WA,L=Crawley,O=The blah blah Australia,OU=IT,CN=*.blah.blah.blah.au
    Public Key Algorithm: rsaEncryption
    Public Key size: 2048
    Ocsp Response Status: NONE

    1)     URI:http://crl.quovadisglobal.com/qvsslg2.crl
 Done
 

Am I to assume 1) is the bind that is causing the problem? If so what is the correct format of the unbind command.

 

I have tried 

unbind ssl certKey TKI -ocspResponder qvsslg2.crl
ERROR: No such resource [certkeyName, TKI]

 

This points to the certkey TKI not being present....

 

Regards

Rob

Link to comment
Share on other sites

  • 1 month later...
  • 11 months later...
  • 3 years later...

I had the same error message with Netscaler 13.0 92.21nc

Certificate is referenced by a CRL, OCSP responder, vserver, service, monitor, SSL profile, another certificate, or a policy expression using XML_ENCRYPT() or XML_DECRYPT()

 

My solution in CLI:

 

Step 0) show vpn global

 

output>

VPN Session Policy Name: ###   Type: Advanced  Priority: 65534, GotoPriorityExpression: NEXT

                Portal Theme: RfWebUI

                Userdata Encryption Certificate: <your old certificate>

 

To solve this:

Step 1) bind vpn global -userDataEncryptionKey <your new certificate>

Step 2) show vpn global

 

output>

VPN Session Policy Name: ###   Type: Advanced  Priority: 65534, GotoPriorityExpression: NEXT

                Portal Theme: RfWebUI

                Userdata Encryption Certificate: <your new certificate>

                Userdata Encryption Certificate: <your old certificate>

 

Step 3) unbind vpn global -userDataEncryptionKey <your old certificate>

Step 4) show vpn global

output>

VPN Session Policy Name: ###   Type: Advanced  Priority: 65534, GotoPriorityExpression: NEXT

                Portal Theme: RfWebUI

                Userdata Encryption Certificate: <your new certificate>

 

After this i could succesfully remove the cerificate.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...