Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12377
Views
31
Helpful
30
Replies

Baltimore CyberTrust Root is expired on cisco ise

Go to solution
oumodom
Level 1
Level 1

‎02-11-2025 06:43 PM

Baltimore CyberTrust Root is expired. 

As we found it on Trusted Certificates on ISE. 
This certificate will expire soon. When it expires, ISE may fail when attempting to establish secure communications with clients. Inter-node communication may also be affected.

Description: Auto imported for secure connection to cisco.com/perfigo.com

Usage: Trust for authentication of cisco services

Valid From Sat, 13 May 2000 01:46:00 ICT
Valid To (Expiration) Tue, 13 May 2025 06:59:00 ICT

Suggested Actions Replace the certificate. For a trust certificate, contact the issuing Certificate Authority (CA). For a CA-signed local certificate, generate a CSR and have the CA create a new certificate. For a self-signed local certificate, use ISE to extend the expiration date. You can just delete the certificate if it is no longer used.

How to resolve this issue? 

Thank you, 


9 people had this problem
Labels:
4 Accepted Solutions

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to oumodom

‎02-12-2025 12:56 AM

Look at the details found in CSCwo05386.

1.  The Bug ID was created today, 12 February 2025. 

2.  Yet, there are already >31 TAC Cases. 

That is 31 TAC cases in less than 24 hours.  This means ISE TAC is currently getting swamped and have no time to update the Bug IDs. 

Options are: 

1.  Raise a TAC Case and get "associated" to this Bug ID

2.  Contact/Escalate your Cisco Account Manager/SE

3.  Wait for TAC to provide further information.

View solution in original post

Go to solution
Arne Bier
VIP
VIP
In response to oumodom

‎02-16-2025 07:12 PM

This Trusted Certificate is tagged for "Cisco Services" only. This means, it is not used for your ISE EAP 802.1X at all.  Cisco Services means that ISE will check the remote server it's connecting to for the services I mentioned previously, to see if ISE trusts those remote systems. I showed that these services do not use this CA chain at all.  Cisco just forgot to remove this orphaned Trusted cert - and they should include this deletion in the next patch updates.

View solution in original post

30 Replies 30

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-11-2025 06:49 PM - edited ‎02-11-2025 06:50 PM

Raise a TAC case.  

If this is correct (and widespread) TAC will need to release a patch soon-ish and a Field Notice will need to be fast-tracked.

Go to solution
oumodom
Level 1
Level 1
In response to Leo Laohoo

‎02-11-2025 08:48 PM

As your experience, this is the new issue ? @Leo Laohoo 

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to oumodom

‎02-11-2025 09:21 PM

For everyone's sake, pray that I am wrong.

Go to solution
langflow
Level 1
Level 1

‎02-11-2025 09:06 PM

The expired Baltimore CyberTrust Root is causing authentication problems—hoping Cisco provides a smooth fix or workaround soon!

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-11-2025 10:14 PM

@Marvin Rhodes

Would you have an idea what "Baltimore CyberTrust Root" cert does and what happens (i.  e. what "breaks") when this specific cert expires?

0 Helpful

Go to solution
tipy
Level 1
Level 1

‎02-11-2025 10:55 PM

A reply from Cisco would sure be helpful and informative so not everyone have to make a TAC case, but by the description it seems this is only used to trust access to "cisco.com/perfigo.com"
When I look at that domain now the cert is issued by IdenTrust Commercial Root CA 1 and this is also present in the ISE trust store. 

 

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-11-2025 11:35 PM

@Arne Bier has shared CSCwo05386.

Go to solution
oumodom
Level 1
Level 1
In response to Leo Laohoo

‎02-12-2025 12:43 AM

So we is next besides from contacting to TAC? @Leo Laohoo  @Arne Bier 

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to oumodom

‎02-12-2025 12:56 AM

Look at the details found in CSCwo05386.

1.  The Bug ID was created today, 12 February 2025. 

2.  Yet, there are already >31 TAC Cases. 

That is 31 TAC cases in less than 24 hours.  This means ISE TAC is currently getting swamped and have no time to update the Bug IDs. 

Options are: 

1.  Raise a TAC Case and get "associated" to this Bug ID

2.  Contact/Escalate your Cisco Account Manager/SE

3.  Wait for TAC to provide further information.

Go to solution
oumodom
Level 1
Level 1
In response to Leo Laohoo

‎02-12-2025 01:13 AM

3.  Wait for TAC to provide further information.

I am looking forward to getting response from Cisco.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to Arne Bier

‎02-12-2025 02:39 AM

Thanks for sharing the Bug ID, @Arne Bier.

0 Helpful

Go to solution
victormanuelsolis
Level 1
Level 1

‎02-12-2025 09:47 AM

This certificate is for the air-gapped devices as well? I mean no internet connection ISE?

0 Helpful

Go to solution
Wilson-Qi
Level 1
Level 1
In response to victormanuelsolis

‎02-12-2025 08:16 PM

Alarm Name :

Certificate Expiration

 

Details :

 Trust certificate 'Baltimore CyberTrust Root' will expire in 90 days : Server=XXXXX

 

Description :

This certificate will expire soon.  When it expires, ISE may fail when attempting to establish secure communications with clients.  Inter-node communication may also be affected

 

Severity :

Warning

 

Suggested Actions :

Replace the certificate.  For a trust certificate, contact the issuing Certificate Authority (CA).  For a CA-signed local certificate, generate a CSR and have the CA create a new certificate.  For a self-signed local certificate, use ISE to extend the expiration date. You can just delete the certificate if it is no longer used

 

*** This message is generated by Cisco Identity Services Engine (ISE) ***

0 Helpful
Customers Also Viewed These Support Documents