Re: Unable to delete ISE Internal Certificate in Trusted Store

ade5 · ‎04-13-2020

Hello, We are on ISE 2.2 patch 16.

I am trying to delete one of our expiring internal certificate in trusted store. We have another one (new one) installed with same common name.

ISE wont let me delete the old one due to another cert that has the same common name.

Have you encountered the same issue before and do we know a work around to this issue?

Mohammed al Baqari · ‎04-14-2020

Yes I have seen this and wasn't able to get it sorted out even after an
upgrade. I think there are internal maps in ISE DB which don't clean
correctly when you delete the overlapping object.

Try to open a tac case to see if they can clean.

ade5 · ‎04-14-2020

thanks for the info.I went and opened a tac case.

Since you were not able to delete the trusted cert , Did you just let the certificate expire since you have the new one installed anyway?

If i understand correctly, since we have the new one installed and the trusted cert is only being used to validate ise server certificates there should be no impact once the old one expires.

Mohammed al Baqari · ‎04-14-2020

that is correct. The new one takes over.

sureshot · ‎04-14-2020

From the problem description, its seems you hitting this bug : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy36667/?rfs=iqvred

Details:

Symptom:
On ISE 2.0 it is not possible to delete certificate with duplicated common name even if it is not refrenced anywhere on ISE.

Conditions:
1. ISE 2.0
2. Two certificates with same common name in trusted store.
3. Try to delete one of them.

The Work around mentioned here is:

1. Remove template, scep and ldap references for the certificates.
2. Restart ISE services.
3. Remove one of the certificates.