Expired certificates cannot be deleted in Internal CA Management Tool:

1. Connect to the command line on Management Server (over SSH, or console).
   
   
2. Log in to Expert mode.
   
   
3. Enable Internal CA Management Tool on the Security Management Server / Domain Management Server (refer to sk39915):
   [Expert@HostName]# cpca_client  set_mgmt_tool on  [-no_ssl]
   
   
4. Connect to Internal CA Management Tool with a web browser.
   
   
5. In the left pane, click on "Manage CRLs."
   
   
6. Click "Clean the CA's Database and CRLs from expired certificates" - confirm, when prompted.
   
   
7. Connect to the command line on Management Server (over SSH, or console).
   
   
8. Log in to Expert mode.
   
   
9. Check the list of expired certificates:
   [Expert@HostName]# cpca_client lscert -stat Expired
   
   The expired certificates are still listed, even though they were supposed to be deleted from the database.

Expired certificates do not appear in the Management Database:

• Internal CA Management Tool does not show any expired certificates (click on 'Manage Certificates' - in 'Status' field, select 'Expired' - click on 'Search' button)
  
  
• Output of 'cpca_client  lscert -stat Expired' shows:
  
Operation succeeded. rc=0.
0 certs found.

ICA Management Tool (sk39915) shows that several certificates that should have expired, still appear as 'Valid.'

'cpca_client lscert' command fails with error "Operation failed. rc=-1."

Running the 'cpca_client lscert ' command under debug ('fw debug cpca on TDERROR_ALL_ALL=5') shows:

fwasync_connbuf_realloc: Connection buffer overflow. Cannot allocate N bytes of memory. Limit is 1048576.
fwasync_conn_send: fwasync_connbuf_realloc() failed.