topic Re: Certificate warning Webauth Login Portal when Sectigo R46 cert is in Network Access Control

Certificate warning Webauth Login Portal when Sectigo R46 cert is used

ajc — Fri, 03 Oct 2025 18:54:16 GMT

Hi everyone,

Unfortunately, old versions of iOS, Android, Chromebook do not include in their Trusted Root CA DB/List, the Sectigo Root R46 certificate so my Web-authentication login portal that uses a cert signed by that Sectigo Root R46 is giving me certificate warnings like untrusted website or similar.

We cannot change the template provided by Sectigo when signing our CSR's so every single certificate is signed by that Sectigo R46 Root.

We cannot have that certificate warning displayed during the Web-Authentication process, the ISE login portal must be displayed automatically for those old version devices. Any suggestion other than getting the cert from another vendor and see if it works?.

I mean, is there a way to modify the Cisco ISE cert and make it like a cross-signed cert so old and new devices can trust the ISE certificate for WebAuth?

thanks

Re: Certificate warning Webauth Login Portal when Sectigo R46 cert is

Torbjørn — Fri, 03 Oct 2025 19:43:02 GMT

You should look at getting a certificate from a new vendor if you need this to work in the short term. There is nothing you can realistically do to resolve this issue while sticking to the R46 root, but the problem will likely "go away" as these older devices eventually ages out.

Re: Certificate warning Webauth Login Portal when Sectigo R46 cert is

david467 — Fri, 03 Oct 2025 20:22:13 GMT

Older clients won’t trust sectigo R46 since it’s not in their root store. ISE can’t re-sign or cross-sign the cert — your best bet is either use a cross-signed intermediate from Sectigo (if available) or switch to another CA with a root still trusted by legacy devices.