cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12694
Views
35
Helpful
14
Replies

Guest Portal URL Certificate Issue ISE 2.3

dhanushka_
Level 1
Level 1

 Hello

 

I have deployed cisco ISE 2.3 and working as expected but i have issue with guest portal certificate. I have publicly signed certificate but this certificate did not work properly. What i did was i generate certificate signed request from ISE and get it signed from comodo. Then i have import the root certificate given by comodo for the trusted certificate store. I have bind the publicly signed certificate as well.

 

The issue is Guest Portal URL still get an error certificate not trusted  

1 Accepted Solution

Accepted Solutions

I'd suggest open tac case

View solution in original post

14 Replies 14

Hi,

Assume the certificate has been imported correctly the issue could be with the client computer not having the root certificate in it's certificate store. Can you check to confirm? Some older OSs may not be up to date with the public root certificates.

 

Alternatively the CN (common name) used in the certificate, is that the same as the DNS name used when accessing the Guest Portal? Can you provide a screenshot of the exact error?

HI RJI,

 

Thanks for your reply. Yes CN (common name) of the certificate used same as the DNS name used when accessing the Guest Portal.

I have attached a screenshot of the exact certificate error.

OK, Just checking.

So I'm guessing the Comodo Certificate chain is not trusted by your browser. Can you open the link without error in IE? Can you check the machine trusted root certificate authority store...

NO in IE same error occurred. I checked the machine trusted root certificate store also comodo certificates available in the store.

Do you have the right certificate in the store though? From the screenshot, looks like the MAC device is not able to find the chain to link to the root certificate. Apple does not have the "Comodo RSA Domain Validation Secure Server CA" certificate as a trusted CA. This can be verified in the Apple document below which details as the default trusted CA certificates in MAC OS High Sierra:

 

https://support.apple.com/en-us/HT208127#trusted

 

Another option (and recommended) is to have both the intermediate and root Comodo certificates installed on the ISE before importing the actual guest portal certificate. After this, the ISE should send the whole chain during the SSL handshake. The OS should then be able to validate just the root certificate "COMODO RSA Certification Authority" with SN "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D". Then you won't need to install the intermediate certificate on every machine. 

 

When you mentioned root certificates sent by Comodo was installed on ISE, what are the subject names of those certificates?

 

 

 

 

HI Rahul,

 

Certificates sent by Comodo listed below,

 

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your Free SSL Certificate - myauth_boc_lk.crt

 

As you suggested we have import Comodo RSA Domain Validation Secure Server CA serial NO - "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D". You can find this certificate in below link,

 

https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2

 

Now this issue resolved for the MAC OS but still have with android OS, we found out domain validation certificates for android but could not figure out which one is right one, 

 

https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate

 

i have this problem too.
when i import Comodo RSA Domain Validation Secure Server CA serial NO - "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D certificate this issue resolved for mac high sierra OS.
But still android OS face this issue ?? i found out that only SHA1 and SHA256 certificate available on android OS. so any one can figure out which certificate will resolve this issue.

The cert that should be installed is the Sha256 one with S/N "2b2e6eead975366c148a6edba37c8c07". Look under the essentialSSL section under this link:

 

https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate

 

I do recall how android keeps its certificate store and how browsers access it. I would add all the root and intermediate certificates on to the cert store if you can.

vaguirre17
Level 1
Level 1

Hello.

Did you find any workaround? I have same issue with SAML and guest portal but is a massive deployment so go into certificate store for all the devices (laptops and mobile phones) is not an option


@vaguirre17 wrote:

Hello.

Did you find any workaround? I have same issue with SAML and guest portal but is a massive deployment so go into certificate store for all the devices (laptops and mobile phones) is not an option


Have you considered installing a well known root certificate so you don't have to update all your clients?

Hello Jason.

Do you mean install an external CA certificate? like global sign? I have already install it but I'm having the same error.

I'd suggest open tac case

You only need a third party certificate for PORTAL in this case you avoid the warnings for internal portal and for SAML too.