Wireless Access

Contributor I

IntermediateCA certificates don't get cleared from MM

Hi, running and playing around with the palo alto integration which has meant I have been installing and removing certificates quite a bit.  I have a pair of MM's in active/standby and a cluster of 2x7240xm controllers.


If I add an intermediate certificate to the Managed Devices level in the hierarchy, I can see it from the cli on the Managed Devices and on  the Mobility Masters, which is fine.  However if I then delete that certificate from the MD, it gets cleared from both the MDs but it still shows on the MM (via the CLI - the GUI shows no trace).  There doesn't seem to be anything I can do to get rid of them, I tries synchronizing the database and even rebooting all the devices simultaneously doesn't do it but I think if I leave it long enough they will disappear (I haven't proved that yet but that is what seems to have happened in the past).


This only happens for IntermediateCA's - trusted CAs and server CAs get deleted across the MDs and MMs immediately.


The reason this is a problem is that I now can't add the certificate back to any device using the same name because you can't have two certificates with the same name across the system as a whole.


So unless I start using random names for the certificates I just have to sit and wait until the MM decides to forget about the certificate that isn't there any more.

David Rickard
MVP Guru

Re: IntermediatCA certificates don't get cleared from MM

Are you also removing it from the MM level or just the Managed network level?

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
Contributor I

Re: IntermediatCA certificates don't get cleared from MM

I can only remove it from the MD group level, where I added it.  Once I remove it from there it disappears from the GUI.  It is only visible from the CLI of the MM with the "show crypto pki intermediateca" command.

David Rickard
Search Airheads
Showing results for 
Search instead for 
Did you mean: