Solved: Combining or chaining root and intermediate certs in ISE

Michael McPhee · ‎02-28-2018

Hello,

We have a customer having issues with endpoints that do not have the intermediate or root certs downloaded previously on their system. This prevents their access because they can not make the chain to the root to say that the domain's guest portal cert is valid.

Some other NAC solutions allow the chaining of multiple certificate public keys in the same file, not sure if that is doable in ISE?

Thank you!

hslai · ‎02-28-2018

For ISE, we usually import first the root CA certificate into the Trusted Certificates store, followed by any intermediate CA certificates into the same store, and finally import the portal certificate as a system certificate and designate it with a portal tag. This way ISE should be able to build and send the full chain to the endpoints.

If root or intermediate CA certificates imported after the system certificate, then ISE services need a restart for it to send the full chain.

If it does not work as the above, please engage TAC to troubleshoot.

View solution in original post

hslai · ‎02-28-2018

For ISE, we usually import first the root CA certificate into the Trusted Certificates store, followed by any intermediate CA certificates into the same store, and finally import the portal certificate as a system certificate and designate it with a portal tag. This way ISE should be able to build and send the full chain to the endpoints.

If root or intermediate CA certificates imported after the system certificate, then ISE services need a restart for it to send the full chain.

If it does not work as the above, please engage TAC to troubleshoot.