Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9308
Views
4
Helpful
6
Replies

ISE Certificate stale status

Go to solution
Anilvnair
Level 1
Level 1

‎07-20-2022 05:05 AM

Hello Members,

I see after the certificate binding on ISE, the cert status as Stale, under the system certificate tab. How to fix this issue?

8 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to ahollifield

‎07-20-2022 07:44 AM

Stale System and Trusted Certificates

Stale certificates are certificates that don’t belong to any node in the deployment. These redundant certificates might accumulate in large numbers in the System and Trusted Certificate stores, leading to insufficient memory and latency issues. From with Cisco ISE Release 3.1, such redundant certificates carry a Stale Certificate status, enabling you to review and delete them.

View solution in original post

6 Replies 6

Go to solution
ahollifield
VIP
VIP
In response to ahollifield

‎07-20-2022 07:44 AM

Stale System and Trusted Certificates

Stale certificates are certificates that don’t belong to any node in the deployment. These redundant certificates might accumulate in large numbers in the System and Trusted Certificate stores, leading to insufficient memory and latency issues. From with Cisco ISE Release 3.1, such redundant certificates carry a Stale Certificate status, enabling you to review and delete them.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-20-2022 07:59 AM

Did you search for the word "stale" in the ISE Admin Guide?

ISE 3.1 Administrator Guide > Basic Setup

0 Helpful

Go to solution
ffischer
Level 1
Level 1

‎01-10-2024 04:36 AM

In a complex deployment runnin for years now we are using seperate interfaces for the Guest Portal.
We have a Guest Portal Certificate signed by 3rd party that ist shown as stale,
because neither its' CNs nor its SANs match the fqdn of the one of the nodes.
We use "ip host" aliases for guest portal setup that ISE cert check obvoiusly forgot to consider
if an installed system certificate is referenced.

And.... Yes, I have read the manuals ... at least partially

Go to solution
Gioacchino
Level 1
Level 1
In response to ffischer

‎02-25-2024 07:55 AM

Hi @ffischer ,

we ran into this issue as well. Does the "ip host" fix definitely the issue?

Thx, Gio

0 Helpful

Go to solution
ffischer
Level 1
Level 1

‎02-29-2024 06:46 AM - edited ‎02-29-2024 06:47 AM

Well.. 
The certificates are cecked for beeing referenced in the ISE config
by internal code running automatically in regular intervals.
The code obviously ignores the host names in the ip aliases on the CLI.

I'm not aware of a confirmed bug nor a fix for this bug.

Nothing you or I can "fix" if you need the host alias.
If you do not need it, then delete it.

0 Helpful
Customers Also Viewed These Support Documents