Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3009
Views
5
Helpful
4
Replies

Can CA authority certificates be deleted in ISE?

Go to solution
SMD28316
Level 1
Level 1

‎01-12-2022 01:57 AM

On ISE I have deleted SAML and PxGrid certs because I don't need them, I'm left with an externally signed certificate for portal / admin and EAP, on it's chain I don't see any certificate from "deployment > System > Certificate > Certificate authority > Certificate authority certificates", can I delete them?

 

I see root CA, OCSP responder CA, endpoint sub CA, I don't understand the reason for them, if they are not needed, can I disable internal CA?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎01-12-2022 01:40 PM - edited ‎08-04-2022 01:13 PM

The internal CA is used for the BYOD function in ISE in the use-case where ISE is the CA issuing the client certificates. Internal CA is also used to issue certificates for purposes like ISE/DNAC integration. It's advisable to leave the Internal CA enabled even if you don't actively use it for BYOD etc.

View solution in original post

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-22-2022 09:42 AM

You may delete any and all public CAs that you want - at your own risk.

You may always [re-]import a public CA Cert manually from their website.

You may want to Disable them first and make sure things continue to work for a few days/weeks before deleting permanently.

image.png

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-12-2022 02:46 AM

Personal i leave them as it is, as i take this is Public CA.

 

if the Private CA you can delete - but no harm keeping it..make sure there is no assiciation with that before you delete or clean up.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎01-12-2022 01:40 PM - edited ‎08-04-2022 01:13 PM

The internal CA is used for the BYOD function in ISE in the use-case where ISE is the CA issuing the client certificates. Internal CA is also used to issue certificates for purposes like ISE/DNAC integration. It's advisable to leave the Internal CA enabled even if you don't actively use it for BYOD etc.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-22-2022 09:42 AM

You may delete any and all public CAs that you want - at your own risk.

You may always [re-]import a public CA Cert manually from their website.

You may want to Disable them first and make sure things continue to work for a few days/weeks before deleting permanently.

image.png

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎08-04-2022 12:07 AM

Starting from ISE 2.6, ISE Messaging is used for inter-node communications. The certificates are apparently used even even if is disabled. You need proper ISE messaging certificate and its CA chain is always verified up to the the internal CA root. So you need the internal CA certificates and even the internal CA service because the messaging certificate must be renewed after 5 years.

Customers Also Viewed These Support Documents