Expired certificates cannot be deleted from the Management Database

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk101049
Technical Level
Product	Security Management, Multi-Domain Management
Version	R77, R77.10, R77.20, R77.30, R80.10, R80.20, R80.30, R80.40
Date Created	25-May-2014
Last Modified	11-Feb-2020

Symptoms

Expired certificates cannot be deleted in Internal CA Management Tool:
1. Connect to the command line on Management Server (over SSH, or console).
2. Log in to Expert mode.
3. Enable Internal CA Management Tool on the Security Management Server / Domain Management Server (refer to sk39915):
  [Expert@HostName]# cpca_client set_mgmt_tool on [-no_ssl]
4. Connect to Internal CA Management Tool with a web browser.
5. In the left pane, click on "Manage CRLs."
6. Click "Clean the CA's Database and CRLs from expired certificates" - confirm, when prompted.
7. Connect to the command line on Management Server (over SSH, or console).
8. Log in to Expert mode.
9. Check the list of expired certificates:
  [Expert@HostName]# cpca_client lscert -stat Expired
  
  The expired certificates are still listed, even though they were supposed to be deleted from the database.
Expired certificates do not appear in the Management Database:
- Internal CA Management Tool does not show any expired certificates (click on 'Manage Certificates' - in 'Status' field, select 'Expired' - click on 'Search' button)
- Output of 'cpca_client lscert -stat Expired' shows:
ICA Management Tool (sk39915) shows that several certificates that should have expired, still appear as 'Valid.'
'cpca_client lscert' command fails with error "Operation failed. rc=-1."

Running the 'cpca_client lscert ' command under debug ('fw debug cpca on TDERROR_ALL_ALL=5') shows:

fwasync_connbuf_realloc: Connection buffer overflow. Cannot allocate N bytes of memory. Limit is 1048576.
fwasync_conn_send: fwasync_connbuf_realloc() failed.

Solution

Note: To view this solution you need to Sign In .