Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3288
Views
1
Helpful
8
Replies

Remove endpoint certificate from ISE internal CA

Go to solution
Eric Pineda
Cisco Employee
Cisco Employee

‎09-07-2016 05:13 PM

Hi folks,

Is it posible to remove endpoint certificates generated by ISE internal CA?

Thanks,

Eric

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎09-08-2016 06:45 AM

Yes, you can revoke an endpoint cert by going to Administration > System > Certificates, choose Endpoint Certificates from the Left Menu.  Select the cert you would like to revoke and click the X Revoke button.

endpointCert.PNG

Screenshot is from ISE 2.1

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎09-08-2016 06:45 AM

Yes, you can revoke an endpoint cert by going to Administration > System > Certificates, choose Endpoint Certificates from the Left Menu.  Select the cert you would like to revoke and click the X Revoke button.

endpointCert.PNG

Screenshot is from ISE 2.1

0 Helpful

Go to solution
saxenanitesh8522
Level 4
Level 4
In response to Charlie Moreton

‎11-02-2022 05:11 AM

Hi

If we are revoking the certificate the users are stil able to login.

We have gone to the internal ca and revoked the certificate but the device is still authenticating and getting on-board.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to saxenanitesh8522

‎11-02-2022 02:34 PM

It sounds like ISE is not performing the revocation checks for some reason. I would suggest confirming the following:

  • Verify that the internal CA/EST/OCSP responder is enabled in Admin > System > Certificates > Certificate Authority > Internal CA Settings
  • Verify that the OCSP validation is enabled and using the internal OCSP responder for all of the internal CA chain certificates in Admin > System > Certificates > Certificate Management > Trusted Certificates

If both of those are verified, you likely need to open a TAC case to investigate further.

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-08-2016 06:48 AM

You can revoke but not remove (delete)

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-08-2016 07:34 AM

Endpoint certificates will be removed 30 days after its expiry automatically. Revoked certificates will also be removed 30 days after expiry.

Go to solution
Eric Pineda
Cisco Employee
Cisco Employee
In response to howon

‎09-08-2016 10:48 AM

Thanks for the responses!

0 Helpful

Go to solution
Looi Siew Key
Level 1
Level 1
In response to howon

‎12-07-2018 12:18 AM

Hi howon,

 

How if the expired or revoke certificate to be retained or extend listed in endpoint certificate before automatically delete ?

0 Helpful

Go to solution
salprevitera
Level 1
Level 1
In response to howon

‎08-03-2022 09:57 AM

so, what you saying if the certificate expire in 2 years, it will stay there for 2 years and 30 days before it is gone....WOW

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents