Symantec VIP - Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway. Certificate is In Use and cannot be deleted.
search cancel

Symantec VIP - Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway. Certificate is In Use and cannot be deleted.

book

Article ID: 176612

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

In the VIP Gateway > Setting, the VIP Certificate or other SSL Certificate cannot be removed or changed. 

 Failed to delete 'certname' 

When viewing the Cert:

Invalid input string format.  Check the input for invalid characters and try again

Cause

Possible corruption in the VIP key store. 

Resolution

Note: An active SSL cert showing in use as Yes cannot be deleted until all services (Enterprise Gateway Console, Healthcheck, SSP or VIP Manager IdP) using that cert are set to use another SSL cert, or the HTTPS option is disabled (HTTP). An SSL cert change will require a service restart.  (Refer to this KB for instructions on how to change SSL certificate usage by the individual services:  https://knowledge.broadcom.com/external/article?articleNumber=176590)

 

To avoid access denied errors, the In Use status should show as No.  Proceed with these steps only if all other steps to free up the SSL certificate have failed:

  1. Open a Symantec Support case. 
  2. Navigate to \<VIP installation directory>\server\Webapps\configs,  then send the ManagedAuthentication.xml file to technicians assigned to the case.
  3. Navigate to <VIP installation directory>, then send the license.txt file to the technician assigned to the case. 
  4. The technician will respond with the decrypted password for the DEFAULT and (if necessary) VIPCDK keystores. 
  5. Open an elevated command prompt and navigate to \<VIP installation directory>\server\keystore
  6. Run the following:
    1. VIP versions 9.9.x or earlier: "C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -list -keystore DEFAULT.
    2. VIP versions 9.10 or later: "C:\Program Files\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -list -keystore DEFAULT.
       
  7. When prompted, enter the password for the DEFAULT key store.
  8. Make note of the certificate(s) that needs to be removed.
  9. Run the following:
    1. VIP version 9.9.x or earlier: "C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -delete -noprompt -alias <name of cert to be removed> -keystore DEFAULT.
    2. VIP version 9.10 or later: "C:\Program Files\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -delete -noprompt -alias <name of cert to be removed> -keystore DEFAULT.
      ‚Äč
  10. When prompted, enter the password.
  11. If removing the VIP certificate, repeat the steps with the VIPCDK key store.
  12. Restart the Symantec VIP Enterprise Gateway service.