06-21-2018 03:54 AM - edited 02-21-2020 10:59 AM
Hello
I have deployed cisco ISE 2.3 and working as expected but i have issue with guest portal certificate. I have publicly signed certificate but this certificate did not work properly. What i did was i generate certificate signed request from ISE and get it signed from comodo. Then i have import the root certificate given by comodo for the trusted certificate store. I have bind the publicly signed certificate as well.
The issue is Guest Portal URL still get an error certificate not trusted
Solved! Go to Solution.
11-19-2019 11:32 AM
06-21-2018 04:13 AM - edited 06-21-2018 04:14 AM
Hi,
Assume the certificate has been imported correctly the issue could be with the client computer not having the root certificate in it's certificate store. Can you check to confirm? Some older OSs may not be up to date with the public root certificates.
Alternatively the CN (common name) used in the certificate, is that the same as the DNS name used when accessing the Guest Portal? Can you provide a screenshot of the exact error?
06-21-2018 12:40 PM
06-21-2018 12:52 PM
06-21-2018 12:59 PM
06-21-2018 02:55 PM
Do you have the right certificate in the store though? From the screenshot, looks like the MAC device is not able to find the chain to link to the root certificate. Apple does not have the "Comodo RSA Domain Validation Secure Server CA" certificate as a trusted CA. This can be verified in the Apple document below which details as the default trusted CA certificates in MAC OS High Sierra:
https://support.apple.com/en-us/HT208127#trusted
Another option (and recommended) is to have both the intermediate and root Comodo certificates installed on the ISE before importing the actual guest portal certificate. After this, the ISE should send the whole chain during the SSL handshake. The OS should then be able to validate just the root certificate "COMODO RSA Certification Authority" with SN "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D". Then you won't need to install the intermediate certificate on every machine.
When you mentioned root certificates sent by Comodo was installed on ISE, what are the subject names of those certificates?
06-28-2018 03:43 PM - edited 06-28-2018 03:48 PM
06-28-2018 03:46 PM
HI Rahul,
Certificates sent by Comodo listed below,
As you suggested we have import Comodo RSA Domain Validation Secure Server CA serial NO - "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D". You can find this certificate in below link,
Now this issue resolved for the MAC OS but still have with android OS, we found out domain validation certificates for android but could not figure out which one is right one,
07-02-2018 09:03 PM
07-03-2018 07:31 AM
The cert that should be installed is the Sha256 one with S/N "2b2e6eead975366c148a6edba37c8c07". Look under the essentialSSL section under this link:
I do recall how android keeps its certificate store and how browsers access it. I would add all the root and intermediate certificates on to the cert store if you can.
11-14-2019 05:49 AM
Hello.
Did you find any workaround? I have same issue with SAML and guest portal but is a massive deployment so go into certificate store for all the devices (laptops and mobile phones) is not an option
11-14-2019 07:26 AM
@vaguirre17 wrote:
Hello.
Did you find any workaround? I have same issue with SAML and guest portal but is a massive deployment so go into certificate store for all the devices (laptops and mobile phones) is not an option
Have you considered installing a well known root certificate so you don't have to update all your clients?
11-14-2019 10:32 AM
Hello Jason.
Do you mean install an external CA certificate? like global sign? I have already install it but I'm having the same error.
11-19-2019 11:32 AM
03-16-2020 12:27 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide