Remove Certs from SBCE

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • avc839539793240
    Member
    • Mar 2025
    • 3
    #1

    Remove Certs from SBCE

    I am trying to remove old TLS certs from the SBC. I get a message to say used by a cluster proxy or TLS Profile, Yes TLS Profile so I try to delete that. I then get told can't delete as currently in use. then I need to disassociate from various listed servers. I can find some of them and see that there is no TLS Profile associated on the servers l found - Signalling Interface , Endpoint Flow, Session Flow, STUN/TURN. I am struggling to work out if the TLS Profile is associated elsewhere but the docs I have been using aren't helping much, have tried "Ada" with similar results.

    Any thoughts, hints or tips?
    Tags: None
  • mlombardi1
    Legend
    • Sep 2010
    • 538
    #2
    Certificates are assigned to TLS profiles, both client and server. TLS profiles can then be applied to:

    - signaling interfaces
    - relay profiles such as reverse proxy
    - TURN/STUN profiles
    - endpoint flows (subscriber)
    - SNI groups
    - LDAP servers
    Meridian IT - Senior Engineer

    Comment

    • avc926104831712
      Aspiring Member
      • Jul 2025
      • 1
      #3
      Originally posted by mlombardi1 View Post
      Certificates are assigned to TLS profiles, both client and server. TLS profiles can then be applied to:

      - signaling interfaces
      - relay profiles such as reverse proxy
      - TURN/STUN profiles
      - endpoint flows (subscriber)
      - SNI groups
      - LDAP servers
      That’s a solid list I’ve also seen cases where the TLS profile was tied to an old SNI group or an unused TURN config that wasn’t obvious at first. Definitely worth double-checking those areas if something seems “in use” but you can’t track it down in the main flows.

      Comment

      • avc932943114228
        Aspiring Member
        • Aug 2025
        • 1
        #4
        Great question. On SBCs, a TLS Profile can be referenced in less obvious places: SIP trunk objects, cluster bootstrap/HA sync, REST/management interfaces, certificate pinning lists, OCSP/CRL profiles, and cached profiles on inactive nodes. Try: export running config and grep for the profile name; check cluster-wide templates; disable OCSP if bound; rotate to a dummy profile; drain/failover nodes; then delete. It’s like Cookie Clicker —hidden chains keep things alive until you find every last reference.

        Comment

        Previous template Next
        Loading