cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3169
Views
5
Helpful
4
Replies

Can CA authority certificates be deleted in ISE?

SMD28316
Level 1
Level 1

On ISE I have deleted SAML and PxGrid certs because I don't need them, I'm left with an externally signed certificate for portal / admin and EAP, on it's chain I don't see any certificate from "deployment > System > Certificate > Certificate authority > Certificate authority certificates", can I delete them?

 

I see root CA, OCSP responder CA, endpoint sub CA, I don't understand the reason for them, if they are not needed, can I disable internal CA?

2 Accepted Solutions

Accepted Solutions

Arne Bier
VIP
VIP

The internal CA is used for the BYOD function in ISE in the use-case where ISE is the CA issuing the client certificates. Internal CA is also used to issue certificates for purposes like ISE/DNAC integration. It's advisable to leave the Internal CA enabled even if you don't actively use it for BYOD etc.

View solution in original post

thomas
Cisco Employee
Cisco Employee

You may delete any and all public CAs that you want - at your own risk.

You may always [re-]import a public CA Cert manually from their website.

You may want to Disable them first and make sure things continue to work for a few days/weeks before deleting permanently.

image.png

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

Personal i leave them as it is, as i take this is Public CA.

 

if the Private CA you can delete - but no harm keeping it..make sure there is no assiciation with that before you delete or clean up.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier
VIP
VIP

The internal CA is used for the BYOD function in ISE in the use-case where ISE is the CA issuing the client certificates. Internal CA is also used to issue certificates for purposes like ISE/DNAC integration. It's advisable to leave the Internal CA enabled even if you don't actively use it for BYOD etc.

thomas
Cisco Employee
Cisco Employee

You may delete any and all public CAs that you want - at your own risk.

You may always [re-]import a public CA Cert manually from their website.

You may want to Disable them first and make sure things continue to work for a few days/weeks before deleting permanently.

image.png

Peter Koltl
Level 7
Level 7

Starting from ISE 2.6, ISE Messaging is used for inter-node communications. The certificates are apparently used even even if is disabled. You need proper ISE messaging certificate and its CA chain is always verified up to the the internal CA root. So you need the internal CA certificates and even the internal CA service because the messaging certificate must be renewed after 5 years.