Cisco ISE 1.2 to 1.3 Upgrade Failed - Old Certificates in Cert Store, but can't remove

raun.williams · ‎02-27-2015

Hello guys,

My attempt an upgrade bombed out pretty quick due to an expired certificate in the certificate store. However, these certs are disabled because I've never been able to delete them due to the below error as I can not find what they would be attached to. I've looked in SCEP, but I'm not sure where else one should look. This is a distributed deployment, fyi.

Thanks,

Raun

mohanak · ‎03-02-2015

Open a TAC case and for the procedure to remove the certificate.

deepuvarghese1 · ‎04-17-2016

Hello mohanak,

I am facing an issue when upgrading from ISE 1.3 to 2.0. It gives the below error

System certificate with friendly name 'ISE-PAP02.sss.LOCAL#sss-HQ-DCSRV-01-CA#00001' is invalid: The certificate has expired.
% Error: One or more system certificates are invalid (see above), please update with valid system certificate(s) before continuing. Upgrade cannot continue.
Starting application after rollback...

I tried deleting the expired certificate from the node and got the warning like "admin certificate cannot be deleted". Please find the attached.

Is there any way that we can delete the certificate.

ssambourg · ‎01-18-2017

Hello,

Did you find a way to accomplish this task ?

Feedback will be very appreciated.

deepuvarghese1 · ‎01-18-2017

Hello,

We opened a TAC and they send a TAC shoot file to delete the expired certificates from the Linux root level. Better involve TAC for this activity.

ssambourg · ‎01-23-2017

Hello,

Thanks, my ISE was in 2.0 with an expired SSC.

After generating a new cert with Admin role, I was able to delete the expired certificate.

Enkssi · ‎08-01-2019

you can't delete.

You need to create or renew the Certificate and import it, it will replace the old expired Certificate