Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
17582
Views
31
Helpful
30
Replies

Baltimore CyberTrust Root is expired on cisco ise

Go to solution
oumodom
Level 1
Level 1

‎02-11-2025 06:43 PM

Baltimore CyberTrust Root is expired. 

As we found it on Trusted Certificates on ISE. 
This certificate will expire soon. When it expires, ISE may fail when attempting to establish secure communications with clients. Inter-node communication may also be affected.

Description: Auto imported for secure connection to cisco.com/perfigo.com

Usage: Trust for authentication of cisco services

Valid From Sat, 13 May 2000 01:46:00 ICT
Valid To (Expiration) Tue, 13 May 2025 06:59:00 ICT

Suggested Actions Replace the certificate. For a trust certificate, contact the issuing Certificate Authority (CA). For a CA-signed local certificate, generate a CSR and have the CA create a new certificate. For a self-signed local certificate, use ISE to extend the expiration date. You can just delete the certificate if it is no longer used.

How to resolve this issue? 

Thank you, 


9 people had this problem
Labels:
30 Replies 30

Go to solution
Wilson-Qi
Level 1
Level 1
In response to victormanuelsolis

‎02-12-2025 08:20 PM

i think so. this is root certification not updated from DigiCert side. 

Go to solution
Wilson-Qi
Level 1
Level 1

‎02-12-2025 08:06 PM

we have the same issue, it seems that Cert has not been updated from DigiCert side: https://www.digicert.com/kb/digicert-root-certificates.htm#otherroots. waiting for Cisco TAC to resolve it.

 

0 Helpful

Go to solution
Wilson-Qi
Level 1
Level 1
In response to Wilson-Qi

‎02-12-2025 08:09 PM

ZhenguoQi_0-1739419733894.png

 

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-12-2025 10:20 PM

 

Japan TAC wrote (ISE: "Baltimore CyberTrust Root" certificate expiry
The above bug information states "Contact TAC to get more information" as a workaround, but even if you contact Cisco TAC, they will not be able to disclose any information that is not stated in the bug information.
 
We understand that you may have questions and concerns, but please wait until bug CSCwo05386 is updated

 

Go to solution
Arne Bier
VIP
VIP

‎02-13-2025 03:06 PM

I think this is a non issue.

Here is a list of most of the Cisco services that an ISE system can access (I have excluded Posture modules, because I don't have an Apex License to test this)

  • www.cisco.com and iseservice.cisco.com (used to fetch BYOD packages)
  • smartreceiver.cisco.com (Smart Licensing to CSSM)
  • ise.cisco.com (used for Profiler Feed updates)
  • Unsure about Posture Modules??? Maybe someone can run a tcpdump while running a Posture update on their ISE.

Check the CA cert issued for that web service

curl -vvI https://ise.cisco.com/

reveals

subjectAltName: host "ise.cisco.com" matched cert's "ise.cisco.com"
issuer: C=US; O=IdenTrust; OU=HydrantID Trusted Certificate Service; CN=HydrantID Server CA O1

I think Cisco switched to this Identrust CA some years ago. All of the URLs I tested used this same CA.

Go to solution
oumodom
Level 1
Level 1
In response to Arne Bier

‎02-13-2025 06:54 PM

Thank @Arne Bier @Leo Laohoo for your information. 

Hope we can get fix solution soon to ensure our operational function is working well. 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to oumodom

‎02-13-2025 08:58 PM

@oumodom - there will be no fix for this. The best you can hope for is a written confirmation from Cisco that this CA cert is no longer used and can be deleted. You should delete it eventually, because the ISE "cert expired" alarms will not stop.  Maybe the next patch will also delete this cert as part of housekeeping.

Go to solution
oumodom
Level 1
Level 1
In response to Arne Bier

‎02-16-2025 06:53 PM

Hi @Arne Bier just to ensure it doesn't impact any service operation if expired date will be arrived.  

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to oumodom

‎02-16-2025 07:12 PM

This Trusted Certificate is tagged for "Cisco Services" only. This means, it is not used for your ISE EAP 802.1X at all.  Cisco Services means that ISE will check the remote server it's connecting to for the services I mentioned previously, to see if ISE trusts those remote systems. I showed that these services do not use this CA chain at all.  Cisco just forgot to remove this orphaned Trusted cert - and they should include this deletion in the next patch updates.

Go to solution
Wilson-Qi
Level 1
Level 1

‎02-16-2025 08:43 PM

bug updated!

Workaround:

The Baltimore CyberTrust Root certificate which is set to expire on May 12, 2025 is no longer in use by Cisco ISE and it is safe to delete.

Go to solution
victormanuelsolis
Level 1
Level 1
In response to Wilson-Qi

‎02-16-2025 11:34 PM

it applies on 2.7 version as well?

Go to solution
Arne Bier
VIP
VIP
In response to victormanuelsolis

‎02-17-2025 01:16 AM

I don’t see why it shouldn’t also apply to 2.7.
If there is any doubt, test all the Cisco services that you are using (Smart Licensing Renew, Profiler Feed update, posture feed, etc) while running a tcpdump on the PAN node. A wireshark filter on ‘tls’ will reveal the server hellos. In the details you will see the CA cert chain that signed those Cisco server certs.

Go to solution
cghaderpour
Level 1
Level 1

‎02-19-2025 12:50 PM

looks like it is safe to be deleted now based on:  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo05386

Go to solution
marcel.aes
Level 1
Level 1

‎03-21-2025 02:12 AM

Workaround: The Baltimore CyberTrust Root certificate which is set to expire on May 12, 2025 is no longer in use by Cisco ISE and it is safe to delete.

0 Helpful
Customers Also Viewed These Support Documents
Top