Removing a certificate

You can remove the CA certificate, local certificate, or peer certificates in a PKI domain. After you remove the CA certificate, the system automatically removes the local certificates, peer certificates, and CRLs in the domain.

You can remove a local certificate and request a new one when the local certificate is about to expire or the certificate's private key is compromised. To remove a local certificate and request a new certificate, perform the following tasks:

  1. Remove the local certificate.

  2. Use the public-key local destroy command to destroy the existing local key pair.

  3. Use the public-key local create command to generate a new key pair.

  4. Request a new certificate.

To remove a certificate:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Remove a certificate.

pki delete-certificate domain domain-name { ca | local | peer [ serial serial-num ] }

If you use the peer keyword without specifying a serial number, this command removes all peer certificates.