https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653967#M576270 <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#concept_a1f_v2t_msb" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#concept_a1f_v2t_msb</A></P> Wed, 20 Jul 2022 14:44:12 GMT ahollifield 2022-07-20T14:44:12Z https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653889#M576268 <P>Hello Members,</P><P>I see after the certificate binding on ISE, the cert status as Stale, under the system certificate tab. How to fix this issue?</P> Wed, 20 Jul 2022 12:05:06 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653889#M576268 Anilvnair 2022-07-20T12:05:06Z https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653967#M576270 <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#concept_a1f_v2t_msb" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#concept_a1f_v2t_msb</A></P> Wed, 20 Jul 2022 14:44:12 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653967#M576270 ahollifield 2022-07-20T14:44:12Z https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653968#M576271 <H3 id="ariaid-title99" class="title topictitle3">Stale System and Trusted Certificates</H3> <SECTION class="body conbody"> <P class="p">Stale certificates are certificates that don’t belong to any node in the deployment. These redundant certificates might accumulate in large numbers in the System and Trusted Certificate stores, leading to insufficient memory and latency issues. From with Cisco ISE Release 3.1, such redundant certificates carry a<SPAN>&nbsp;</SPAN><SPAN class="ph uicontrol">Stale Certificate</SPAN><SPAN>&nbsp;</SPAN>status, enabling you to review and delete them.</P> </SECTION> Wed, 20 Jul 2022 14:44:28 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653968#M576271 ahollifield 2022-07-20T14:44:28Z https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653979#M576274 <P>Did you search for the word "stale" in the ISE Admin Guide?</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1.html" target="_self" rel="nofollow noreferrer">ISE 3.1 Administrator Guide</A> &gt; <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html" target="_blank">Basic Setup</A></P> Wed, 20 Jul 2022 14:59:26 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4653979#M576274 thomas 2022-07-20T14:59:26Z https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4993620#M586210 <P>In a complex deployment runnin for years now we are using seperate interfaces for the Guest Portal.<BR />We have a Guest Portal Certificate signed by 3rd party that ist shown as stale,<BR />because neither its' CNs nor its SANs match the fqdn of the one of the nodes.<BR />We use "ip host" aliases for guest portal setup that ISE cert check obvoiusly forgot to consider <BR />if an installed system certificate is referenced.<BR /><BR />And.... Yes, I have read the manuals ... at least partially <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 10 Jan 2024 12:36:08 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/4993620#M586210 ffischer 2024-01-10T12:36:08Z https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/5024115#M587650 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/286176">@ffischer</a> ,<BR /><BR />we ran into this issue as well. Does the "ip host" fix definitely the issue?</P><P>Thx, Gio</P> Sun, 25 Feb 2024 15:55:15 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/5024115#M587650 Gioacchino 2024-02-25T15:55:15Z https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/5029900#M587802 <P>Well..&nbsp;<BR />The certificates are cecked for beeing referenced in the ISE config<BR />by internal code running automatically in regular intervals.<BR />The code obviously ignores the host names in the ip aliases on the CLI.<BR /><BR />I'm not aware of a confirmed bug nor a fix for this bug.<BR /><BR />Nothing you or I can "fix" if you need the host alias.<BR />If you do not need it, then delete it.</P> Thu, 29 Feb 2024 14:47:46 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/m-p/5029900#M587802 ffischer 2024-02-29T14:47:46Z