I just uploaded a new wildcard DigiCert certificate to ISE with the Role of Guest Portal. I uploaded the new wildcard cert + the private key that my manager gave me. I checked the Allow wildcard certs checkbox and everything appeared to update just fine.
So I then took my Android cell and connected to our Guest Wi-Fi. When I got redirected to the login page, I got the message: "The network you're trying to join has security issues."
When I click View Certificate in the browser window on my cell, it shows the portal login url, and says "This certificate isn't from a trusted authority". It shows Issued to: CN: *.mycompany.com and Issued by: DigiCertTLS RSA SHA@%^ 2020 CA1.
Why wouldn't DigiCert be considered a Trusted Authority? I'm confused...
Thanks in Advance,
Solved! Go to Solution.
So the Cert from DigiCert came with the Wildcard cert and a Root Cert. When I looked at the Root cert it appears to be the same as the existing DigiCert Root Cert that's already uploaded to ISE...
If I try to upload the Root cert that I received with the new wildcard cert, would it give me an error/warning if that exact same cert already exists?
don’t think thats the issue here, if the root cert was not in trusted cert store, it wont even let to install wildcard cert and private key.
review this link :
Ok gotcha, thanks for the reply. That part makes sense...
From the link, I know they're specifically talking about iOS and I'm trying on an Android. But, sounds like it could be the same issue... Since I do not get the message on a Windows PC, should I assume this is just something with iOS and Android devices, and there's not really a "fix" per-say?
I know it also mentioned something about the Cert having a CRL list. Not really familiar with what that is. Is there a way to check if our Cert has a Certificate Revocation List?
open the public cert, details, you would see crl distribution list field.
it may be the bug mentioned by @Milos_Jovanovic
on a separate note i would think either peap or cwa, the crl issue will apply in both cases since the client need to validate ise cert in both cases, is that not right ?
when you accept certificate once, and delete mac and get redirected again, does it prompt the cert error again ?
If you try to upload already existing cert, yes, it would warn you that there is a cert with same private/public key already existing.
I don't think it is the issue that @ammahend mentioned, because over there, EAP is in use, while you are using CWA with Guest portal, so different principles are in use.
What is your exact ISE version? As I mentioned, there is a known bug in which ISE is not sending entire CA chain with certificate with Guest portals.