Symantec VIP - Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway. Certificate is In Use and cannot be deleted.
book
Article ID: 176612
calendar_today
Updated On:
Products
VIP Service
Issue/Introduction
Removing the VIP or other SSL Certificate fails with the error:
Failed to delete 'certname'
When viewing the Cert:
Invalid input string format. Check the input for invalid characters and try again
Cause
Possible corruption in the VIP key store.
Resolution
Note: An access denied error will occur when removing the certificate if the In Use status for the cert shows as Yes. If this happened, set the Enterprise Gateway Console, Healthcheck, SSP/MyVIP IdP, and VIP Manager IdP to use a different SSL cert, or temporarily set it to HTTP. (requires a service restart). Click here: SSL certificate instructions
Open a Symantec Support case.
Navigate to \<VIP installation directory>\server\Webapps\configs. Attach the ManagedAuthentication.xml file to the support case.
Navigate to <VIP installation directory>. Attach the license.txt file to the support case.
The technician will respond with the DEFAULT or VIPCDK decrypted password for the next steps.
Open an administrative command prompt and navigate to \<VIP installation directory>\server\keystore
Run the following to list the existing certificates:
VIP versions 9.10 or later: "C:\Program Files\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -list -keystore DEFAULT
Enter the password for the DEFAULT key store. The SSL and RA certificates are displayed.
Run the following to delete the SSL certificate. It is not necessary to delete the RA certificates:
VIP version 9.9.x or earlier: "C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -delete -noprompt -alias <name of cert to be removed> -keystore DEFAULT.
VIP version 9.10 or later: "C:\Program Files\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -delete -noprompt -alias <name of cert to be removed> -keystore DEFAULT.
When prompted, enter the password.
If removing the VIP certificate, repeat the steps with the VIPCDK key store. The support engineer will provide the password for this keystore.
Restart the Symantec VIP Enterprise Gateway service.