Support Center > Search Results > SecureKnowledge Details
Expired certificates cannot be deleted from the Management Database
Symptoms
  • Expired certificates cannot be deleted in Internal CA Management Tool:

    1. Connect to the command line on Management Server (over SSH, or console).

    2. Log in to Expert mode.

    3. Enable Internal CA Management Tool on the Security Management Server / Domain Management Server (refer to sk39915):
      [Expert@HostName]# cpca_client  set_mgmt_tool on  [-no_ssl]

    4. Connect to Internal CA Management Tool with a web browser.

    5. In the left pane, click on "Manage CRLs."

    6. Click "Clean the CA's Database and CRLs from expired certificates" - confirm, when prompted.

    7. Connect to the command line on Management Server (over SSH, or console).

    8. Log in to Expert mode.

    9. Check the list of expired certificates:
      [Expert@HostName]# cpca_client lscert -stat Expired

      The expired certificates are still listed, even though they were supposed to be deleted from the database.
  • Expired certificates do not appear in the Management Database:

    • Internal CA Management Tool does not show any expired certificates (click on 'Manage Certificates' - in 'Status' field, select 'Expired' - click on 'Search' button)

    • Output of 'cpca_client  lscert -stat Expired' shows:
    • Operation succeeded. rc=0.
      0 certs found.
  • ICA Management Tool (sk39915) shows that several certificates that should have expired, still appear as 'Valid.'

  • 'cpca_client lscert' command fails with error "Operation failed. rc=-1."

  • Running the 'cpca_client lscert ' command under debug ('fw debug cpca on TDERROR_ALL_ALL=5') shows:

    fwasync_connbuf_realloc: Connection buffer overflow. Cannot allocate N bytes of memory. Limit is 1048576.
    fwasync_conn_send: fwasync_connbuf_realloc() failed.
    
Solution
Note: To view this solution you need to Sign In .