Solved: OK to delete DST Root CA X3 Certificate Authority ?

Arne Bier · ‎07-04-2021

Hello

A lot of ISE systems will be reporting that the Trusted Certificate "DST Root CA X3 Certificate Authority" is going to be expiring soon. I believe this certificate is (or was) used by ISE to trust the connection with certain Cisco backend systems.

I have not seen any official notices from Cisco - does anyone know if we can already delete this certificate? Once it's expired it's of no use - just causing alarms.

hslai · ‎07-05-2021

> does anyone know if we can already delete this certificate? Once it's expired it's of no use - just causing alarms.

Yes, we can.

Expired certificates may cause ISE upgrade to fail.

View solution in original post

hslai · ‎07-05-2021

> does anyone know if we can already delete this certificate? Once it's expired it's of no use - just causing alarms.

Yes, we can.

Expired certificates may cause ISE upgrade to fail.

Arne Bier · ‎07-06-2021

thanks @hslai - I think it might be helpful to include a certificate removal function in ISE patches as soon as Cisco realises that this cert is no longer required. Some time back there was anothe cert that expired and there were many questions in the community about it.

Or perhaps a field notice or email or something. I subscribe to bug and patch updates and to be honest I stopped reading those because it's meaningless data to scroll through a list of defects - not knowing if any of this affects you or not. But I would have deleted this certificate (and others) on the advice of Cisco, had I known about it.

ali.rodriguez · ‎08-27-2021

So the certificate is not used at all? Or do the other certificates fulfill the functions of this certificate that will expire?

Damien Miller · ‎08-27-2021

@ali.rodriguez It is now unused, I've deleted it off all the deployments I've been managing without any ill effects.