Showing results for 
Search instead for 
Did you mean: 

DigiCert with Guest Portal - Not Trusted?

Matthew Martin

Hello All,

ISE v2.7

I just uploaded a new wildcard DigiCert certificate to ISE with the Role of Guest Portal. I uploaded the new wildcard cert + the private key that my manager gave me. I checked the Allow wildcard certs checkbox and everything appeared to update just fine.

So I then took my Android cell and connected to our Guest Wi-Fi. When I got redirected to the login page, I got the message: "The network you're trying to join has security issues."

When I click View Certificate in the browser window on my cell, it shows the portal login url, and says "This certificate isn't from a trusted authority". It shows Issued to: CN: * and Issued by: DigiCertTLS RSA SHA@%^ 2020 CA1.

Why wouldn't DigiCert be considered a Trusted Authority? I'm confused...

Thanks in Advance,

1 Accepted Solution

Accepted Solutions

In that case, most likely you are hitting CSCvu84184 which is solved in v2.7 patch 5. I would recommend to apply latest patch, and then to repeat testing.

Kind regards,


View solution in original post

13 Replies 13

VIP Community Legend VIP Community Legend
VIP Community Legend

how is your URL redirect FQDN

is this example : ? or IP ?

do you have DNS entry


Note : how about try other device ..part of testing ?


***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the reply.

We have it setup to use Hostname, i.e.




Hi Mathew,

I assume you have installed Root and Intermediate CA certificates under Trusted Certificates?

Which version exactly are you running? If it is v2.7 under patch 5, you might be hitting CSCvu84184.

Kind regards,


So the Cert from DigiCert came with the Wildcard cert and a Root Cert. When I looked at the Root cert it appears to be the same as the existing DigiCert Root Cert that's already uploaded to ISE...

If I try to upload the Root cert that I received with the new wildcard cert, would it give me an error/warning if that exact same cert already exists?

don’t think thats the issue here, if the root cert was not in trusted cert store, it wont even let to install wildcard cert and private key. 

review this link :

-hope this helps-

Ok gotcha, thanks for the reply. That part makes sense...

From the link, I know they're specifically talking about iOS and I'm trying on an Android. But, sounds like it could be the same issue... Since I do not get the message on a Windows PC, should I assume this is just something with iOS and Android devices, and there's not really a "fix" per-say?

I know it also mentioned something about the Cert having a CRL list. Not really familiar with what that is. Is there a way to check if our Cert has a Certificate Revocation List?

open the public cert, details, you would see crl distribution list field. 

it may be the bug mentioned by @Milos_Jovanovic 

on a separate note i would think either peap or cwa, the crl issue will apply in both cases since the client need to validate ise cert in both cases, is that not right ? 

when you accept certificate once, and delete mac and get redirected again, does it prompt the cert error again ? 

-hope this helps-


If you try to upload already existing cert, yes, it would warn you that there is a cert with same private/public key already existing.

I don't think it is the issue that @ammahend mentioned, because over there, EAP is in use, while you are using CWA with Guest portal, so different principles are in use.

What is your exact ISE version? As I mentioned, there is a known bug in which ISE is not sending entire CA chain with certificate with Guest portals.

Kind regards,


We are running:

Patch Information: 3

In that case, most likely you are hitting CSCvu84184 which is solved in v2.7 patch 5. I would recommend to apply latest patch, and then to repeat testing.

Kind regards,


Thanks for the reply Milos.

I'm pretty sure the answer is yes. But, when installing patches, are they cumulative, i.e. would I just need the newest patch?


  - As already noted go for the latest in the 2.7 train because patches are cumulative avoid p5 because of :


-- ' A nun once asked a penguin ' do you think the earth is flat ? ; the penguin replied :
Madam, it all depends , in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!


Yes, patches are cumulative, and you only need to install latest one.

Kind regards,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers