Re: Unable to delete expired certificate

pnavratil · ‎01-07-2021

I am using ISE version 2.7 last patch (Patch2). I want to remove expired certificate - as it is potential stopper in upgrade/patch install.

It is OCSP certificate from already removed internal CA - named

- Certificate Services OCSP Responder - <ise-node>#00027

The certificate is disabled

When I try to remove it, I obtain error message:

------

Couldn't delete following certificate(s) as they are being referenced by a Secure SysLog Target.

Certificate Services OCSP Responder - <ise-node>#00027

-------

I checked the Secure Logging Targets - even changed the CA referenced in the configuration (note: both SecureSyslogCollector and SecureSyslogCollector2 are Disabled) but it has no impact on the issue. Is there any way to solve this?

pavagupt · ‎01-08-2021

This might be causing because of referential integrity .. i.e. certificate/chain might be getting used by other entities in ISE. unless all those references are removed, you can't delete the certificate.

i believe, you might be using CA (expired) for the secure Syslog Targets. Disabling Secure SysLog target which has CA reference is not going to solve this issue. you might have to delete or associate other certificate to secure syslog targets (make sure it doesn't have dependency on expired OCSP certificate which you want to delete) and then try cleaning up your expired certificate.

NOTE: please take backup before deleting.

pnavratil · ‎01-08-2021

I already tried to change the CA certificate referenced in Secure Syslog Target configuration but this did not help.

I do not understand mechanism for seleting certificate for this service, as in the configuration I am able only to set some CA certificate. There is note in documentation:

-----

During a fresh Cisco ISE installation, a certificate that is named Default Self-signed Server Certificate is added to the Trusted Certificates store. This certificate is marked for Trust for Client authentication and Syslog usage, making it available for secure syslog usage. While configuring your deployment or updating the certificates, you must assign relevant certificates to the secure syslog targets.

-----

See this for detailes: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_basic_setup.html#reference_51BC9C350D2D4AD789E0E15EE21C35E6

There is no Self-Signed vertificate in Trusted store in my case.

Is there any certificate binded to the Secure Syslog Target service? Or it use only certificate on server side (on syslog target)?

Otherwise curently both Secure Syslog Target records (SecureSyslogCollector and SecureSyslogCollector2) now use some external CA in configuration but I still cannot delete the expired certificates.

pavagupt · ‎01-08-2021

ISE always make use of default self-signed certificate in order to send syslogs to MnT (until and unless you use different certificate issued by CA on different nodes).

whereas when sending syslogs to external entity over secure channel, ISE and syslog server requires trusted certificates to be configured.

Secure SysLog target requires TLS connection between ISE and Secure SysLog remote machine. You have to first import CA certificate who issued certificate to Syslog targets into ISE trust store and enable it so as to make it trust during TLS connection. That's why we have to select CA certificate when configuring Secure SysLog Target. ISE will use it's admin certificate when communicating to SysLog server.

Hope that helps.