Removing Certificate

Hi everyone,

Does anyone know how I can remove a certificate that I uploaded. All I can do is set the default but I would actually like to remove and there is no way to do that from the Cockpit.

Thanks

Hi Patrick,
I’ve found the following solution from @federico.ballarini:

  • created a “old-certificates” directory into /etc/letsencrypt/
  • moved /etc/letsencrypt/live/* into old-certificates
  • the same operation for “renewal” directory

If you don’t have a letsencrypt, perhaps he has another idea too.

If they’re certs from Let’s Encrypt, the easy answer would be certbot delete --cert-name whatever.yourdomain.tld.

3 Likes

I would love a way to delete expired certificates.

Or even better, a script that updates an existing certifciate and puts it where it needs to be and restarts all affected services. That way I don’t need to upload a new cert every three months. (I use LetsEncrypt domain certificate on another computer and move it where it’s needed).

Um, why?

signal-event certificate-update

  1. Why delete expired?

Replacing a certificate every three months ends up with a lot of expired certificates that clutter up the display

  1. Awesome! I know I have to copy my new certs into /etc/pki/tls/certs/ and /etc/pki/tls/private/ Is there any place else the uploaded cert gets placed?

Gerald

No, you really don’t. Just put the files somewhere consistent, do

config setprop pki CrtFile /etc/pki/tls/certs/cert.pem
config setprop pki ChainFile /etc/pki/tls/certs/chain.pem
config setprop pki KeyFile /etc/pki/tls/private/privkey.pem

substituting the paths with whatever you want. Then run signal-event certificate-update. It will make any necessary copies, set any necessary permissions, and restart or reload any services that use the cert. When renewal time hits, overwrite the old files and run signal-event certificate-update again. Scripting this on a remote host would be trivial. And as a bonus, since the file names aren’t changing, it stays as a single entry in the server-manager.

Also consider obtaining and renewing the cert on the Neth box itself. If it isn’t exposed to the Internet, you could consider DNS validation instead. See:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

3 Likes

Sorry, didn’t get the chance to come back to this any sooner. If I go in the folder where the certs are stored, can I just delete the useless certs? If so, in what folder are they?

I would look at /etc/pki/tls/certs/, but I can’t check at the moment.
I recommend you to move the files, not to delete at the first step. If everything is, you can remove them.

Thanks! I’ll give that a try! :slight_smile:

I completely forgot to try this. Just did, I moved the certs but they are still showing in the list. Perhaps I need to reboot.

I found the solution. Under /etc/pki/tls, there is private folder where the keys are stored. What I did was, moved the keys in a temporary folder, did the same for the certs and then the certificates are now gone from the list!!!

I wish NethServer would simply just have a way for us to remove certs directly or at at least move them in another view, and expired ones in a separate view as well.