When I try to delete an expired certificate from the SG I get an error message that the cert is in use, even though I have disassociated the keyring with all policies and services. I even searched the sysinfo to see if I missed any other services.

To successfully delete an expired SSL certificate from the SG GUI, you must first:

  1. Disassociate all components and polices that are tied to the keyring (where applicable).

• HTTPS reverse proxy service
• HTTPS management service
• OCSP responder(s) (SGOS 5.x and later)
• SSL client
• Configuration setting for SSL Intercept issuer-keyring
• SSL-Intercept layer policy
• SSL device profile(s)
• Check to see whether the particular, expired, keyring is referenced in the Web Isolation config on the Proxy, by using the command SG#(config Isolation) view. Where the expired keyring is confirmed to be used here, utilize the #(config isolation)issuer-keyring <valid-keyring> command to replace this keyring with a valid one.
• After all of the above are done, and the expired keyring is still not deleting, the only next thing to check would be to clear any active session, as the expired keyring may be in use on any, or some, or all, of the sessions.

  2. Reboot the SG.

 To delete the certificate using the Management Console:

1. Select Configuration>SSL>Keyrings>SSL Keyrings
2. Highlight the name of the keyring containing the certificate you want to delete
3. Click Edit 
4. Click Delete in the Certificate section
5. The Confirm delete dialog appears
6. Click OK in the Confirm delete dialog box
7. Click Close in the Edit Keyring dialog box
8. Click Apply and OK

To delete the entire keyring:

1. Select Configuration>SSL>Keyrings>SSL Keyrings
2. Highlight the name of the keyring that you want to delete
3. Click Delete
4. The Confirm delete dialog appears
5. Click OK in the Confirm delete dialog box
6. Click Apply and OK