Stale Certificates Accumulation During Certificate Renewal
search cancel

Stale Certificates Accumulation During Certificate Renewal

book

Article ID: 438651

calendar_today

Updated On:

Products

VCF Automation VMware Avi Load Balancer

Issue/Introduction

Stale intermediate certificates can accumulate on the Avi Load Balancer Controller during certificate renewal when the certificate chain length is greater than one. 
For instance, 1 root + 2 intermediate certificates used for signing application certificate(s). 

 

Cause

When a certificate bundle is uploaded, the controller splits the chain and creates separate certificate objects for each certificate. If a certificate with the same CN already exists but has a different fingerprint, a new certificate entry is created instead of replacing the existing one, leading to accumulation of duplicate intermediate certificates

Resolution

Workaround

Identify and remove unused intermediate certificates as follows:

  • Find certificates with the same Common Name (CN) and fingerprint/serial suffix.
    • To check the common name: login to Contoller GUI and navigate to Templates > Security > SSL/TLS certificates. We can view the common name for all the certificates here.
    • To validate the serial number, login to contoller CLI and run the below command from "shell" prompt  for the certificates having the same common name, as viewed on GUI : 

      > show sslkeyandcertificate <certificate name> | grep "serial_number"

  • Verify if the duplicate certificate is used anywhere (Avi prevents deletion if it is in use). 
    • In Avi version 31.x, we can verify if the certificate is in use -  login to controller GUI, navigate to Templates > Security > SSL/TLS certificates, locate the duplicate certificate and click on the three dots by the side and check "where used" section. If the certificate is not in use, it will return "We couldn’t find any objects!"
    • In Avi version < 31.x, try deleting the certificate. If it is in use, the system would drop an error informing the configuration referring the certificate. 

  • If not in use, delete the duplicate certificate. 

    To delete the duplicate certificate, login to controller GUI, navigate to Templates > Security > SSL/TLS certificates, select the duplicate certificate and click on the "delete" button. 
     
  • To avoid further buildup, adjust certificate bundle renewal frequency (for example, in cert-manager) if permitted by your security policy.
Powered by Wolken Software