Delete Expired Certificates in the CA Certificate Store
search cancel

Delete Expired Certificates in the CA Certificate Store

book

Article ID: 366904

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS

Issue/Introduction

Because the list of trusted CAs changes over time, you may want to update your CCLs to ensure that they contain the most up-to-date list of CA certificates.

You can manually edit the default appliance-ccl and browser-trusted CCLs and any custom-produced CCL. The bluecoat-services and image-validation CCLs are read-only and cannot be modified; however, you can still view the contents.

Resolution

For the expired certificates, it isn't not allowed to delete them, by design. They can only viewed, and they can also removed from the CCL of interest. The most used of the CCL is the "Browser Trusted" List.

For detailed steps on how you may remove the expired CA certificate from the CCL, please refer to the steps in the Tech. Doc. with the URL below.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/updating-a-ca-certificate-list.html

It's important to note that the certificate not added to a CCL isn't actively utilized by the appliance, and thus, has no negative impact.

There isn't yet an updated certificate for the expired image validation certificate. This is still being used, and there are no issues with this. 

Additional Resource: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/getting-started/page-help-configuration/page-help-configuration-ssl/page-help-ca-certificates/page-help-ca-certificates-ccl.html

Note: We recommend to have the appliance configured, from CLI, to always auto-update the trust package, which houses the CA certificates. For the required CLI command, please refer to the anippet below.