Delete Expired Certificates in the CA Certificate Store
search cancel

Delete Expired Certificates in the CA Certificate Store


Article ID: 366904


Updated On:


ISG Proxy ProxySG Software - SGOS


Because the list of trusted CAs changes over time, you may want to update your CCLs to ensure that they contain the most up-to-date list of CA certificates.

You can manually edit the default appliance-ccl and browser-trusted CCLs and any custom-produced CCL. The bluecoat-services and image-validation CCLs are read-only and cannot be modified; however, you can still view the contents.


For the expired certificates, it isn't not allowed to delete them, by design. They can only viewed, and they can also removed from the CCL of interest. The most used of the CCL is the "Browser Trusted" List.

For detailed steps on how you may remove the expired CA certificate from the CCL, please refer to the steps in the Tech. Doc. with the URL below.

It's important to note that the certificate not added to a CCL isn't actively utilized by the appliance, and thus, has no negative impact.

There isn't yet an updated certificate for the expired image validation certificate. This is still being used, and there are no issues with this. 

Additional Resource:

Note: We recommend to have the appliance configured, from CLI, to always auto-update the trust package, which houses the CA certificates. For the required CLI command, please refer to the anippet below.