Certificate is "locked" by IPsec even in PSK mode



  • I had a certificate in the Cert Manager that I couldn't delete because it was in use by IPsec (thankfully it said what was using it!). However, my IPsec configuration only uses PSK (Mutual PSK + Xauth and Mobile IPsec), though I may have saved it at some point in the past with Mutual RSA + Xauth which uses certificates, but currently it was set to PSK. However, it was still preventing the certificate from being deleted as "in-use," I had to switch the IPsec profile to Musual RSA + Xauth, select a different certificate, save, and then I could delete that certificate in Cert Manager, and change the IPsec profile back to PSK.

    Ironically, it didn't save my pre-shared key (I copied it first so I was OK) when switching back to PSK mode, it just saves the cert config when it's not "current." I kind of like the "save previous setting" thing, but would like a way to easily delete the certificate that's not "active" in an IPsec tunnel's config without the workaround…mainly because it could be confusing to an end-user, or time-consuming if there were many PSK-type IPsec tunnels and you had multiple IPsec tunnels with the "hidden saved" cert to change & remove. My workaround worked fine for me, I can just see it being more of a pain or harder to figure out for the average user or heavy IPsec user.


  • Rebel Alliance Developer Netgate

    Yeah I think that form field is hidden but not disabled when it's inactive. The field probably just needs to be cleared before it's saved for a PSK tunnel.


  • Rebel Alliance Developer Netgate

    Should be OK now:
    https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/a2eec62a65e912b7d0bdbb59a82f63f59137818d

    Edit and save your IPsec phase 1 entries and the ca/cert references will be removed.



  • Nope, re-saved Mobile IPsec phase 1 and site-to-site phase 1 both, one is PSK+Xauth and one is PSK, no certs for IPsec in use (and Applied changes). Certificate still shows up in Cert Manager as in use by IPsec and unable to delete. I'm going to use workaround to remove as I need it removed to finish a reconfiguration of certs now.


Log in to reply