When adding a new SSL certificate to replace an existing SSL certificate, the old certificate cannot be deleted until it is no longer in use.

VIP Enterprise Gateway

There are 4 services where an SSL certificate could be in use. After importing the new SSL certificate, you will need to check each of these 4 services to ensure that the new SSL certificate is selected (if using SSL for that service):

• Self-Service Portal - EGConsole > Identity Providers > Self Service Portal
• VIP Manager IdP - EGConsole > Identity Providers > Manager IdP
• Enterprise Gateway Console - EGConsole > Settings > Console Settings
• Health Check - EGConsole > Settings > Health Check Settings

Select the new certificate to use if SSL is enabled. When the old SSL certificate is no longer used by any service, the old certificate should no longer be marked "In Use = Yes" and can be deleted. 

Note: To change which SSL cert is being used in versions earlier than VIP 9.7 gateway, stop the Symantec Self-Service Portal service. From the Enterprise Gateway Identity Providers tab, edit and select the new certificate. Apply the changes, then restart the service.