Stale and expired Principal Identity certificate attached to a non-existent service and can not be deleted using CARR script
search cancel

Stale and expired Principal Identity certificate attached to a non-existent service and can not be deleted using CARR script

book

Article ID: 428105

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Expired PI certificate showing attached to an NSX manager node:

  • The above certificate is attached with a non existent service type "Client Authentication":

  • Same NSX manager node has a valid (not expired) PI certificate with valid 'Client Auth' service.

Environment

VMware NSX

Cause

  • PI certificate is attached to a legacy service type of "Client Authentication" which is not available any more in NSX 4.x and is a remnant of pre 3.2 versions.
  • This issue can occur when this PI certificate was replaced in NSX version prior to NSX 3.2 and it could not detach the service from the expiring certificate at the time of replacement.

Resolution

  • CARR script can not be used to release this certificate with "Client Authentication" service type.
  • Please open a support request with Broadcom NSX support and reference this KB.

  • Please provide the following information while opening the support request:

    • A screenshot of the issue.
    • NSX manager logs.
    • Results of the following API call: GET https://<nsx-manager-ip>/api/v1/trust-management/certificates

Additional Information

Related KB for same issue but with the stale/expired certificate attached to valid "CLIENT AUTH" service type:

Unable to delete stale attachments of node associated with expired pks certificates

Powered by Wolken Software