Skip to main content

14.8.12 Deleting a Registered X.509 Public Key Certificate


14.8.12 Deleting a Registered X.509 Public Key Certificate
To delete an X.509 public key certificate from the system, use the deletevbootcerts command in the XSCF shell. Executed the deletevbootcerts command with a user account that has the platadm or pparadm privilege.
You can delete a public key certificate when the public key certificate is disabled.
XSCF> deletevbootcerts -p ppar_id -i index
For ppar_id, specify the destination physical partition. For index, specify the index number of the user's certificate to be deleted.
You can check the index number from a list of user's certificates that is output by executing the showvbootcerts command with the -a option specified.
XSCF> showvbootcerts -p ppar_id -a
Note - You cannot delete a public key certificate while it is enabled. Delete it after disabling it by using the setvbootconfig command. See "14.8.11  Enabling/Disabling a Registered X.509 Public Key Certificate."
Note - You can also use XSCF Web to enable/disable an X.509 public key certificate.
Note - A system default certificate is a public key certificate the XSCF has by default. System default certificates cannot be deleted.
Operation Procedure
  1. Log in to the XSCF.
    For details, see "2.2  Logging In to the XSCF Shell."
  1. Execute the showvbootcerts command to check the index number of the user's certificate to be deleted and whether the certificate is disabled.
    You cannot delete a public key certificate while it is enabled. Execute the setvbootconfig command to disable it.
  1. In the following example, all the X.509 public key certificates registered in PPAR-ID 2 are displayed.
XSCF> showvbootcerts -p 2 -a
--------------------------------------------------------------------------------

PPAR-ID 2 System Index : 1 name : SYSTEM_CERT_1 [Enable(Unchangeable)]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    0d:fb:b1:5a:2d:2a:e5:81:80:86:eb:34:5e:a4:7e:ed
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Oracle Corporation, OU=VeriSign Trust Network, OU=Class 2 Managed PKI Individual Subscriber CA, CN=Object Signing CA
  Subject: O=Oracle Corporation, OU=Corporate Object Signing, OU=Solaris Signed Execution, CN=Solaris 11
--------------------------------------------------------------------------------

PPAR-ID 2 User Index : 2 name : CUSTOM_CERT_2 [Enable]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    07:ad:b3:06:99:82:39:db:dd:60:41:44:71:be:aa:70
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Thirdparty Corporation, OU=Thirdparty CA, CN=www.example.com
  Subject: O=Thirdparty Corporation, OU=Thirdparty Signed Execution, CN=www.example.com
--------------------------------------------------------------------------------

PPAR-ID 2 User Index : 5 name : CUSTOM_CERT_5 [Enable]
--------------------------------------------------------------------------------

Data:
  Version: 3 (0x2)
  Serial Number:
    07:ad:b3:06:99:82:39:db:dd:60:41:44:71:be:bb:71
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=US, O=Thirdparty Corporation, OU=Thirdparty CA, CN=www.example.com
  Subject: O=Thirdparty Corporation, OU=Thirdparty Signed Execution, CN=www.example.com
--------------------------------------------------------------------------------
  1. Execute the deletevbootcerts command to delete the public key certificate.
    In the following example, the X.509 public key certificate registered as index number 5 in PPAR-ID 2 is deleted. "y (yes)" is the response to the confirmation message.
XSCF> deletevbootcerts -p 2 -i 5
Index 5, CUSTOM_CERT_5 will be deleted from PPAR-ID 2,
Continue?[y|n]:
  1. Execute the showvbootcerts command to confirm that the public key certificate was deleted.
    In the following example, all the X.509 public key certificates registered in PPAR-ID 2 are displayed. You can see that the public key certificate with index number 5 has been deleted.
XSCF> showvbootcerts -p 2 -a
--------------------------------------------------------------------------------

PPAR-ID 2 System Index : 1 name : SYSTEM_CERT_1 [Enable(Unchangeable)]
--------------------------------------------------------------------------------

Data:
Version: 3 (0x2)
Serial Number:
0d:fb:b1:5a:2d:2a:e5:81:80:86:eb:34:5e:a4:7e:ed
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Oracle Corporation, OU=VeriSign Trust Network, OU=Class 2 Managed PKI Individual Subscriber CA, CN=Object Signing CA
Subject: O=Oracle Corporation, OU=Corporate Object Signing, OU=Solaris Signed Execution, CN=Solaris 11
--------------------------------------------------------------------------------

PPAR-ID 2 User Index : 2 name : CUSTOM_CERT_2 [Enable]
--------------------------------------------------------------------------------

Data:
Version: 3 (0x2)
Serial Number:
07:ad:b3:06:99:82:39:db:dd:60:41:44:71:be:aa:70
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Thirdparty Corporation, OU=Thirdparty CA, CN=www.example.com
Subject: O=Thirdparty Corporation, OU=Thirdparty Signed Execution, CN=www.example.com
--------------------------------------------------------------------------------
  1. Execute the exit command to log out from the XSCF shell.
    If you do not have any further work with the XSCF shell, log out from the XSCF. To proceed to configuring another setting, go to the relevant step.