Hi Marvin,

It's a 2 node deployment and the self-signed certificate of the primary node expired, as shown in the attached screenshot, I can't see it in the system certificate of node 1, but I can see the self-signed certificate of node 2.

If the cert that has expired does not exist in either of your two ISE nodes under System Certs, and in particular, for the Admin purpose , then you can safely delete the expired  cert from the Trusted Certs section. It’s probably an orphan, back from when the system was first built using the Admin cert of Node2 and imported into Node1 to allow Registration to go through. It’s bad practice, but everyone has had to do it from time to time. 

Hi Arne,

I tried to delete it earlier but I get the attached error.

I checked the remote logging targets and I found that it is associated with one of them, I tried to remove it but it was also impossible.

Oh that old chestnut :-(

For the remote logging target, simply select another CA cert valid from the drop down list. That tells ISE which cert to use to check the cert from the other end of the TCP connection during TLS establishment.  If you have setup secure SYSLOG, then ISE needs to trust the other end of the secure connection.

Then you should be able to delete the expired cert. 

Update 1 May 2020: The same thing happened to me today on a fresh ISE 2.6 patch 6 install. I had to create an ISE Cluster using self-signed certs because the PKI guys had not given me a proper cert yet. Once I had the signed Admin certs from the PKI Root CA, I installed those. What happened next surprised me. In the Trusted Certs I now was ISE01 self-signed cert? Why??? I had put ISE02 self-signed cert there to allow me to register the ISE02 node. Weird. And despite me choosing the PKI Root CA for the Secure Logging, ISE refused to allow me delete the useless ISE01 self-signed cert from the Trust Store. So I tried this, and it worked: Under System Certs, Generate Self-Signed Cert and select the roles of the cert assigned to the cert that is refusing to be deleted - in my case it was EAP/RADIUS-DTLS/Portal. Once I had done that, it fixed the issue and I could delete ISE01 self-signed cert from Trust Store.

I have tried to delete it but I get an error.

I checked the remote logging targets and I found that it is associated to one of them, I tried to remove it but it was also impossible.

Hi Poongarg,

It's an error because of its name! I think the name is a default name and it cannot be changed.

I attached a screenshot of the error

Hi Samer,

I believe you are facing the same issue as below:

https://community.cisco.com/t5/network-access-control/ise-2-4-cannot-delete-a-remote-logging-target-with-hyphens-in/m-p/4068938#M559738

Please open TAC case to remove this syslog log target via root access

Please try deleting the remote syslog target, but get the list of logging categories that it targeting to so you may re-add it back if needed.