Hi, running 8.3.0.4 and playing around with the palo alto integration which has meant I have been installing and removing certificates quite a bit. I have a pair of MM's in active/standby and a cluster of 2x7240xm controllers.
If I add an intermediate certificate to the Managed Devices level in the hierarchy, I can see it from the cli on the Managed Devices and on the Mobility Masters, which is fine. However if I then delete that certificate from the MD, it gets cleared from both the MDs but it still shows on the MM (via the CLI - the GUI shows no trace). There doesn't seem to be anything I can do to get rid of them, I tries synchronizing the database and even rebooting all the devices simultaneously doesn't do it but I think if I leave it long enough they will disappear (I haven't proved that yet but that is what seems to have happened in the past).
This only happens for IntermediateCA's - trusted CAs and server CAs get deleted across the MDs and MMs immediately.
The reason this is a problem is that I now can't add the certificate back to any device using the same name because you can't have two certificates with the same name across the system as a whole.
So unless I start using random names for the certificates I just have to sit and wait until the MM decides to forget about the certificate that isn't there any more.