Cannot Delete Any Root Certificates with Duplicate Common Name if one is used for Signing

Cannot Delete Any Root Certificates with Duplicate Common Name if one is used for Signing

303
Created On 09/29/25 09:05 AM - Last Modified 01/29/26 03:19 AM


Symptom


The "Delete" option is grayed out when attempting to delete a root certificate.
However, the "Delete" option is enabled when attempting to delete another root certificate.

In the example below, the "Delete" option is grayed out when attempting to delete the "Root Certificate02".

However, the "Delete" option is enabled when attempting to delete the "Root Certificate03".


Both certificates are not used for signing client/server certificates.

Environment


• Palo Alto Firewalls
• Supported PAN-OS
• A self-signed or enterprise certificate exists on the device

Cause


Root certificates that meet the following conditions cannot be deleted via GUI
1. There are multiple root certificates with the same Common Name (CN).
2. There are the client/server certificates signed by the root certificate with same CN.

When a client/server certificate is signed by one of the root certificates with same CN, its issuer-hash matches the subject-hash of all root certificates with same CN.
As a result, all root certificates with the same subject-hash can no longer be deleted via GUI.

The certificate hash value can be checked from the CLI.

admin@PA-VM> request certificate show

name: Root Certificate01
common-name: root.local
subject CN = root.local
issuer CN = root.local
subject-hash 7f513098
issuer-hash 7f513098
ca: yes
not-valid-before Sep 30 06:31:22 2025 GMT
not-valid-after Sep 30 06:31:22 2026 GMT
expiry: 1759244400


name: Root Certificate02
common-name: root.local
subject CN = root.local
issuer CN = root.local
subject-hash 7f513098
issuer-hash 7f513098
ca: yes
not-valid-before Sep 30 06:34:05 2025 GMT
not-valid-after Sep 30 06:34:05 2026 GMT
expiry: 1759244400


name: Root Certificate03
common-name: root.local2
subject CN = root.local2
issuer CN = root.local2
subject-hash 1d59cef2
issuer-hash 1d59cef2
ca: yes
not-valid-before Oct  1 04:14:27 2025 GMT
not-valid-after Oct  1 04:14:27 2026 GMT
expiry: 1759244400


name: Server Certificate
common-name: server.local
subject CN = server.local
issuer CN = root.local
subject-hash bd76b64f
issuer-hash 7f513098
ca: no
not-valid-before Oct  1 04:23:42 2025 GMT
not-valid-after Oct  1 04:23:42 2026 GMT
expiry: 1759244400

 

Resolution


Delete the certificate via CLI

CLI> configure
CLI# delete shared certificate <Certificate Name>

 

Additional Information


How to ensure device certificate can be deleted
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyEPKAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail