https://community.cisco.com/t5/network-access-control/combining-or-chaining-root-and-intermediate-certs-in-ise/m-p/3509283#M517530 <HTML><HEAD></HEAD><BODY><P>For ISE, we usually import first the root CA certificate into the Trusted Certificates store, followed by any intermediate CA certificates into the same store, and finally import the portal certificate as a system certificate and designate it with a portal tag. This way ISE should be able to build and send the full chain to the endpoints.</P><P></P><P>If root or intermediate CA certificates imported after the system certificate, then ISE services need a restart for it to send the full chain.</P><P></P><P>If it does not work as the above, please engage TAC to troubleshoot.</P></BODY></HTML> Wed, 28 Feb 2018 16:31:58 GMT hslai 2018-02-28T16:31:58Z https://community.cisco.com/t5/network-access-control/combining-or-chaining-root-and-intermediate-certs-in-ise/m-p/3509282#M517528 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We have a customer having issues with endpoints that do not have the intermediate or root certs downloaded previously on their system. This prevents their access because they can not make the chain to the root to say that the domain's guest portal cert is valid. </P><P></P><P>Some other NAC solutions allow the chaining of multiple certificate public keys in the same file, not sure if that is doable in ISE?</P><P></P><P>Thank you!</P></BODY></HTML> Wed, 28 Feb 2018 14:14:59 GMT https://community.cisco.com/t5/network-access-control/combining-or-chaining-root-and-intermediate-certs-in-ise/m-p/3509282#M517528 mmcphee 2018-02-28T14:14:59Z https://community.cisco.com/t5/network-access-control/combining-or-chaining-root-and-intermediate-certs-in-ise/m-p/3509283#M517530 <HTML><HEAD></HEAD><BODY><P>For ISE, we usually import first the root CA certificate into the Trusted Certificates store, followed by any intermediate CA certificates into the same store, and finally import the portal certificate as a system certificate and designate it with a portal tag. This way ISE should be able to build and send the full chain to the endpoints.</P><P></P><P>If root or intermediate CA certificates imported after the system certificate, then ISE services need a restart for it to send the full chain.</P><P></P><P>If it does not work as the above, please engage TAC to troubleshoot.</P></BODY></HTML> Wed, 28 Feb 2018 16:31:58 GMT https://community.cisco.com/t5/network-access-control/combining-or-chaining-root-and-intermediate-certs-in-ise/m-p/3509283#M517530 hslai 2018-02-28T16:31:58Z