topic You can open the root CA and in Network Access Control

ISE 2.2 Issue to Bind Signed Certificate

ypomero06 — Mon, 11 Mar 2019 07:31:03 GMT

Hello,

I try to import signing certificate on my ISE 2.2.

I have Generate Certificate Signing Request and send to Comodo CA. I have CA on Trusted Certifcates Tab

But when I bind the certificate i have this error.

I don't understand what is the issue.

Best regards

Did you determine what was

hamilton.bill — Wed, 31 May 2017 22:05:13 GMT

Did you determine what was causing Certificate path validation error?

You can open the root CA and

Ambuj M — Thu, 01 Jun 2017 02:05:16 GMT

You can open the root CA and verify if it has the complete chain.

**rate helpful posts**

I confirmed a complete chain

hamilton.bill — Thu, 01 Jun 2017 14:30:41 GMT

I confirmed a complete chain on the Root

Comodo CA has 1 Root and 4

Rahul Govindan — Thu, 01 Jun 2017 23:51:11 GMT

Comodo CA has 1 Root and 4 different Intermediate CA certificates:

https://support.comodo.com/index.php?/Knowledgebase/List/Index/71

Can you check which exact intermediate CA has issued your certificate? I do not recall what Comodo Intermediate certificates ISE has in the 2.2 release by default, but your snapshot seems to point to:

COMODO RSA Organization Validation Secure Server CA (SHA-2)

Comodo RSA Certification Authority (SHA-2)

Check if "COMODO RSA Organization Validation Secure Server CA" issued yours.

Import the Root and

ajc — Tue, 06 Jun 2017 22:06:51 GMT

Import the Root and Intermediate CA Certs into the trusted list of ISE before binding the cert.

Usually, ISE does NOT have all the intermediate in the internal trust cert repository. ONE EXAMPLE is L1K Intermediate Entrust Cert so I think the same is happening to you.

If you see some COMODO certs in the ISE trusted cert list, CHECK the serial number against the ones that signed your cert. I am pretty sure you will find are not the same at least for the Intermediate because Root CA Certs are embedded in the software (example for Apple & Android is the Entrust Root G2 which also applies to ISE trust cert list).

Hoping this helps

We determine there was an

hamilton.bill — Thu, 08 Jun 2017 16:02:27 GMT

We determine there was an issue in the cert chain and it was corrected.

Just to let you know, I am

ajc — Mon, 17 Jul 2017 17:19:27 GMT

Just to let you know, I am facing issues with binding an entrust cert to the portal certificate tag so the sponsor portal and guest portal are not displayed properly unless you stop/restart the ISE 2.2 services on that specific node (PAN or PSN). Still working with TAC on this.

As a general information the

ajc — Wed, 26 Jul 2017 18:21:51 GMT

As a general information the root cause was found. Having duplicated certificate entries in the TRUSTED CERTIFICATE LIST of ISE with the same CN (common name) causes the Internal Server Error and Guest/Sponsor Portals operation error.

Removing one of the duplicated entries was enough.