Removing a certificate
About certificate removal
You can remove certificates from a PKI domain in the following situations:
Remove a CA certificate, local certificate, or peer certificate if the certificate has expired or is about to expire.
Remove a local certificate if the certificate's private key is compromised, or if you want to request a new local certificate to replace the existing one.
Restrictions and guidelines
After you remove the CA certificate, the system automatically removes the local certificates, peer certificates, and CRLs from the domain.
To remove a local certificate and request a new certificate, perform the following tasks:
Remove the local certificate.
Use the public-key local destroy command to destroy the existing local key pair.
Use the public-key local create command to generate a new key pair.
Request a new certificate.
For more information about the public-key local destroy and public-key local create commands, see Security Command Reference.
Procedure
Enter system view.
system-view
Remove a certificate.
pki delete-certificate domain domain-name { ca | local | peer [ serial serial-num ] }
If you use the peer keyword without specifying a serial number, this command removes all peer certificates.