In order to delete a keyring, it must not be referenced anywhere. The purpose of this article is to provide information on where keyrings can be found when they are being referenced according to the Keyring view in the Management Console.
NOTE: It is important to note that a service does not need to be in use in order for a keyring to be referenced. An example of this is the default-untrusted keyring. By default, it is referenced in Management Console under Configuration > Proxy Settings > SSL Proxy > SSL Proxy > Preserve Untrusted Issuer. Regardless of whether Preserve untrusted certificate issuer is enabled, that keyring will show as referenced so long as it is the keyring selected from the drop down menu.
Outside of being referenced in policy, you will find keyrings referenced in the following locations of the Management Console:
Configuration > General > Archive > Archive Storage > Signing > Sign archives with keyring > Keyring
Configuration > Services > Proxy Services > Proxy Services > Predefined Service Groups > Standard > Reverse Proxy (Typically a 4433 port listener) > Edit Service > Keyring
Configuration > Services > Management Services > HTTPS-Console > Edit > Keyring
Configuration > Clients > General > Client Manager > Keyring
Configuration > SSL > SSL Client > SSL Client Settings > Keyring
Configuration > SSL > Device Profiles > Profiles > [Select a Profile] > Edit > Keyring
Configuration > SSL > OCSP > OCSP Responder > [Select a Responder] > Edit > Keyring
Configuration > Proxy Settings > SSL Proxy > SSL Proxy > Issuer Keyring
Configuration > Proxy Settings > SSL Proxy > SSL Proxy > Untrusted Issuer Keyring
Configuration > Authentication > SAML > [Select SAML Realm] > Edit > Encryption Keyring (optional)
Configuration > Access Logging > Logs > Upload Client > Signing Keyring
One can also search for keyrings in the Sysinfo to try and pinpoint what keys are in use. To view the Sysinfo, go to https://[your proxy ip]:8082/Sysinfo and then search the document for the keyring in question. Once the keyring is found, change the appropriate setting and check to see if the keyring is still referenced. This is a faster, but inconclusive solution. For example, if the HTTPS-Console keyring is still set as default, the keyring will not show up in the Sysinfo.
If the Keyring is still referenced after removing it from these locations, terminate all the active sessions on the proxy which may be using it for SSL interception. This can be done in Statistics>Sessions>Active Sessions>Terminate All Sessions
Note: the passive-attack-protection-only-key will always show as referenced. The keyring is referenced in the passive-attack-protection-only SSL profile, that cannot be deleted or edited. For places where SSL profiles are referenced, please see TECH252609.