Symantec VIP - Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway. Certificate is In Use and cannot be deleted.
search cancel

Symantec VIP - Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway. Certificate is In Use and cannot be deleted.

book

Article ID: 176612

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Removing the VIP or other SSL Certificate fails with the error: 

 Failed to delete 'certname' 

When viewing the Cert:

Invalid input string format.  Check the input for invalid characters and try again

Cause

Possible corruption in the VIP key store. 

Resolution

Note: An  access denied error will occur when removing the certificate if the In Use status for the cert shows as Yes. If this happened, set the Enterprise Gateway Console, Healthcheck, SSP/MyVIP IdP, and VIP Manager IdP to use a different SSL cert, or temporarily set it to HTTP. (requires a service restart).  Click here: SSL certificate instructions

 

  1. Open a Symantec Support case. 
  2. Navigate to \<VIP installation directory>\server\Webapps\configs. Attach the ManagedAuthentication.xml file to the support case.
  3. Navigate to <VIP installation directory>. Attach the license.txt file to the support case.
  4. The technician will respond with the DEFAULT or VIPCDK decrypted password for the next steps. 
  5. Open an administrative command prompt and navigate to \<VIP installation directory>\server\keystore
  6. Run the following to list the existing certificates:
    1. VIP versions 9.9.x or earlier: "C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -list -keystore DEFAULT
    2. VIP versions 9.10 or later: "C:\Program Files\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -list -keystore DEFAULT
       
  7. Enter the password for the DEFAULT key store. The SSL and RA certificates are displayed. 
  8. Run the following to delete the SSL certificate. It is not necessary to delete the RA certificates:
    1. VIP version 9.9.x or earlier: "C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -delete -noprompt -alias <name of cert to be removed> -keystore DEFAULT.
    2. VIP version 9.10 or later: "C:\Program Files\Symantec\VIP_Enterprise_Gateway\jvm\bin\keytool" -delete -noprompt -alias <name of cert to be removed> -keystore DEFAULT.
  9. When prompted, enter the password.
  10. If removing the VIP certificate, repeat the steps with the VIPCDK key store. The support engineer will provide the password for this keystore. 
  11. Restart the Symantec VIP Enterprise Gateway service.