Description

This article describes an issue where a remote certificate with 0 references cannot be deleted in the GUI.

Scope  

FortiGate 6.4.x only.

Solution

When the remote certificate is used by EMS, it shows as having 0 references in the GUI. This may cause the user to believe that the certificate can be deleted directly. However, upon attempting to remove the certificate, it appears to be removed until the page is refreshed, following which it will reappear.

Furthermore, when attempting to delete the remote certificate using the CLI, an error message is displayed indicating that the certificate is being used elsewhere. 

FG # config vpn certificate remote
FG (remote) # show
config vpn certificate remote
edit "REMOTE_Cert_2"
set range global
next
end
FG (remote) # delete REMOTE_Cert_2
Remote certificate is being used.
command_cli_delete:6599 delete table entry REMOTE_Cert_2 unset oper error ret=-23
Command fail. Return code -23

 
This command can be used to check the reference of that certificate:

show full-configuration | grep -f REMOTE_Cert_2

Since the certificate is used in an EMS connection, it is necessary to remove the EMS configuration before deleting the certificate:

FG # config endpoint-control fctems 

FG (fctems) # show 

config endpoint-control fctems 

    edit "EMS" 

        set server "10.0.0.1" 

        set certificate "REMOTE_Cert_2" 

    next 

end 

After removing the EMS configuration, the certificate can be deleted through either the GUI or the CLI:

FG # config endpoint-control fctems 

FG (fctems) # delete "EMS" 

FG (fctems) # end

FG # config vpn certificate remote 

FG (remote) # delete REMOTE_Cert_2 

FG (remote) # end