Customer may found after binding new server certificate to replace the old one, then check “Show Bindings” of the old certificate, it still shows binding to the virtual server.
Test access the SSL Vserver, the certificate using in SSL handshake already changed to new certificate. It's not influencing production but making ADC admininistrator confused.

For Example:
1. Show ssl vserver VPN to check currently binding certificate is “atest”
> show ssl vserver VPN
…
1)      CertKey Name: atest     Server Certificate

2. Bind a new certificate “xms_san_2022” to replace the old one:
> bind ssl vserver VPN -certkeyName xms_san_2022
Warning: Current certificate replaces the previous binding
Done

3. Show ssl certkey “attest ”and you’ll find it still shows binding to the old SSL vserver, but actually it's not in use if you test access this this vserver with browser or openssl:
> show ssl certkey atest
        Name: atest             Status: Valid,   Days to expiration:167
        Version: 3
        Serial Number: 02
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:  C=US,ST=California,L=San Jose,O=Citrix ANG,OU=NS Internal,CN=default XJYTKI
        Validity
                Not Before: Jul  7 03:36:50 2021 GMT
                Not After : Jul  7 03:36:50 2022 GMT
        Certificate Type:       "Client Certificate"    "Server Certificate"
        Subject:  C=US,ST=a,O=b,CN=c
        Public Key Algorithm: rsaEncryption
        Public Key size: 2048
        Ocsp Response Status: NONE
        SAN ENTRIES:
                None

        1)      VServer name: certbind-test     Server Certificate
        2)      VServer name: VPN-DtlsTurn      Server Certificate
        3)      VServer name: VPN       Server Certificate
        4)      VServer name: _XM_MAM_LB_192.168.1.1_8443       Server Certificate
        5)      VServer name: nswl-filter-vip-2 Server Certificate
        6)      VServer name: nswl-filter-vip1  Server Certificate

 

As this doesn't influence the SSL certificate ADC actually use in production, we have following workarounds before the offical fix available.
Workarounds:
Workaround 1. If the old certificate is no longer in use, it will be OK to delete it from ADC
To check if the old certificate is still actually in use, please use the following command under ADC CLI:
> show ns runningConfig | grep bind.*certkey

Workaround 2. Reboot the device then unwanted binding information will be cleared.

Workaround 3. To prevent the issue from hanppening again , you can unbind the old certificate before binding the new one.
 

---

Problem Cause

This is a known ADC configuration issue that under devloper's review. Currently we confirmed it's only influencing CLI/GUI display.

A known Citrix ADC configuration interface issue.