Error deleting one or more certificates: Only custom-created keys are eligible for deletion.

  • 7009758
  • 17-Nov-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Access Administration
Administration Console and Identity Server installed on separate servers

Situation

Purpose:

The default created "admin-console" certificate has been replaced in the "Administration Console Keystore" with a newly created one and is therefore not in use anymore from the system, neither present in any of the key stores. The goal is to delete the unused "admin-console" certificate.

Symptoms:

As soon as the deletion is tried, the system trigger the following error:

"Error deleting one or more certificates: Only custom-created keys are eligible for deletion."

Resolution

This is working as designed, however, if we are 100% sure that the certificate is not in use anymore, there is a manual workaround to remove it from the system.

Workaround:

Please use the "/opt/novell/devman/bin/amdiagcfg.sh" script  do a full backup of the current admin console configuration before to proceed.

In order to get rid of the "admin-console" certificate, you need to manually delete 2 objects in the eDirectory configuration store, and to do this, you can use either iManager itself or an LDAP browser.

The first object to delete is the KMO certificate object itslef, which is named "admin-console - <servername>" and is located under the container O=novell.

The second object is the following, and is an empty container:

admin-console.KeyContainer.Partition.PartitionsContainer.VCDN_Root.accessManagerContainer.novell

Please note that in the same context you will find another container named "admin-console-keystore" that you must NOT delete.

Once this is done, you should not see anymore the admin-console certificate listed in the certificates tab of the AC GUI.



Additional Information

Novell Access Manager does not allow the deletion of default certificates that are created during the product installation.

The reason for this is that when new devices are initially imported into the admin console, they are temporarily assigned default certificates, that will be finally replaced when the devices will be added to a cluster.

Please also note that these default certificates are automatically renewed by the admin console when their expiration dates comes.