Currently they must be deleted manually first, or api session deletes will fail, as will identity deletes with api sessions/api-session certs.