Cisco ISE - Expired certificates cannot be deleted.

cjkaufman@dmgov.org · ‎02-23-2015

We just renewed our public cert, which I installed on my ISE nodes. I have attempted to delete the expired cert, but get various errors and cannot delete them. I did not see any related bug. Ideas?

Errors on the PSNs

I am not sure how I change the portal configuration?...

Error on the PANs

nspasov · ‎02-23-2015

Before a certificate can be deleted, all of its current tasks/functions must be assigned to another certificate. So you should first:

- Import your new cert

- Edit the cert and assign the EAP Authentication and Portal Certificate Group Tag that you are currently using to it.

- Then go back and delete the old certificate

Thank you for rating helpful posts!

cjkaufman@dmgov.org · ‎02-24-2015

What if I have a cert whose functions I no longer want assigned to a particular ISE node? For example, when we originally setup the primary PAN, we assigned the cert Portal, EAP Authentication, and Admin functions.

We only want/need the Admin function for the PANs, so how do I get rid of the other functions?

thx

nspasov · ‎02-25-2015

So you cannot disable EAP...You can decide to not use it in your ISE policies but the protocol is always there and it needs a certificate coupled to that function.

For the guest portal: You can delete all of the guest portal that you don't use and thus removing the need for that function.

To make things easier, you can just generate a self-signed cert and assign all of services that you are not using to it.

Thank you for rating helpful posts!