Hi Tyson, thank you for the reply! I actually have tried it already... Sorry - I should have mentioned it in my original post. I just disabled/re-enabled the http server and http secure server, thinking that whether it is required for the new trustpoint to take effect but failed... Could it be something on the certificate? It is my first time generating a cert for the router. I am not sure if I did everything right. Thanks!

GIR02-70#show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server active supplementary listener ports:
HTTP server authentication method: local
HTTP server auth-retry 0 time-window 0
HTTP server digest algorithm: md5
HTTP server access class: 0
HTTP server IPv4 access class: None
HTTP server IPv6 access class: None
HTTP server base path:
HTTP File Upload status: Disabled
HTTP server upload path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 300
Maximum number of secondary server connections allowed: 50
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 600 seconds
Maximum number of requests allowed on a connection: 25
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite:  aes-128-cbc-sha dhe-aes-128-cbc-sha
        ecdhe-rsa-aes-128-cbc-sha rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
        dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
        ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version:  TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: INT-IT-00-CER-PRO1-CAHTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL

Hey Tyson, I got it figured out and it was that I didn't import the (intermediate) CA cert correctly... I probably messed up which text copy... I also have imported the root CA and configured the "chain-validation".. Not sure if they helped too. Thanks for the advice anyway! Now I have another two trivial issues

1. Browser (Chrome) and postman still complain about "connection is not private"... And yes, to answer your question, I have verified that the cert the browser sees now is the Microsoft CA assigned one, instead of the self-signed one from before. On my ubuntu box, "openssl verify" reports "ok" though. I have also got my Windows admin guys to verify that my Windows PC has the intermediate and root CA installed properly.

2. I don't have the Subject Alternative Name (SAN) field in the cert. It instead becomes "Unstructured Name = gir02-70.int.pason.com". I am not sure if it contributes to the above privacy error... Here is my CSR

crypto pki trustpoint INT-IT-00-CER-PRO1-CA
 enrollment terminal
 fqdn gir02-70.int.pason.com
 subject-name CN=gir02-70.int.pason.com,OU=DigitComm,O=Pason Systems Corp,C=CA,ST=Alberta
 subject-alt-name gir02-70.int.pason.com
 chain-validation continue PASONROOTCA-CA
 revocation-check none

I also opened a case about this. I know it's hard to troubleshoot this without seeing other configs that I might not be able to share here. Please let me know what you think about the two problems. I will report back when I hear back from the support team too. Thanks!

What is the validity length for your certificate. Sept last year, Chrome and Firefox will throw a warning if any certificate is valid for more than 1 year even though everything else about the certificate is perfect.

Have you imported the CA certificate into your computer along with any intermediates into your trusted store?

Hey Tyson, yes I think so but who am I to say that for sure? I am doing it for the very first time. Here are the show command outputs. And yes, they are all over one year in length... However, I just went to my company's home page https://www.pason.com and it has validity till 2022, and I am not seeing a warning with it. thanks!

--- Intermediate CA cert and the router cert ---
GIR02-70#sh crypto pki certificates verbose INT-IT-00-CER-PRO1-CA
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 5B0001BD11CB55A932430BA54000020001BD11
  Certificate Usage: General Purpose
  Issuer:
    cn=int-IT-00-CER-PRO1-CA
    dc=int
    dc=pason
    dc=com
  Subject:
    Name: gir02-70.int.pason.com
    cn=gir02-70.int.pason.com
    ou=DigitComm
    o=Pason Systems Corp
    st=Alberta
    c=CA
    hostname=gir02-70.int.pason.com
  CRL Distribution Points:
    ldap:///CN=int-IT-00-CER-PRO1-CA(1),CN=it-00-cer-pro1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    http://pki.int.pason.com/CertEnroll/int-IT-00-CER-PRO1-CA(1).crl
  Validity Date:
    start date: 14:33:44 CST Jan 8 2021
    end   date: 14:33:44 CST Jan 8 2023
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA256 with RSA Encryption
  Fingerprint MD5: 339767AB BC4926C4 46F63613 7EA50208
  Fingerprint SHA1: 494CCC81 FFA19A2E 6FE33D19 87857ABD 333AC690
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: 72CD118A 9329BEB4 BA1F6D85 9B3FF674 8078C697
    X509v3 Authority Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24
    Authority Info Access:
        CA ISSUERS: ldap:///CN=int-IT-00-CER-PRO1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority
        CA ISSUERS: http://pki.int.pason.com/CertEnroll/it-00-cer-pro1.int.pason.com_int-IT-00-CER-PRO1-CA(2).crt
    Extended Key Usage:
        Server Auth
  Associated Trustpoints: INT-IT-00-CER-PRO1-CA
  Key Label: GIR02-70.int.pason.com
  Key storage device: private config

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 1C000000092E292EC4629493CA000200000009
  Certificate Usage: Signature
  Issuer:
    cn=PASONROOTCA-CA
  Subject:
    cn=int-IT-00-CER-PRO1-CA
    dc=int
    dc=pason
    dc=com
  CRL Distribution Points:
    ldap:///CN=PASONROOTCA-CA,CN=PasonRootCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
    http://pki.int.pason.com/CertEnroll/PASONROOTCA-CA.crl
  Validity Date:
    start date: 10:33:13 CDT Sep 12 2019
    end   date: 10:43:13 CDT Sep 12 2026
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA256 with RSA Encryption
  Fingerprint MD5: 8104BE20 E3E9F86D 550F278C E2B53B12
  Fingerprint SHA1: 6647F887 8F7EC830 81EBFDED 6E7DFEF4 4728967B
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 45A247A8 5B651807 1C597099 3D421F1C C5CCBD24
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: 9CC4D990 565259B2 34A12338 5D7A3E5A 0F4F5295
    Authority Info Access:
        CA ISSUERS: ldap:///CN=PASONROOTCA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=int,DC=pason,DC=com?cACertificate?base?objectClass=certificationAuthority
        CA ISSUERS: http://pki.int.pason.com/CertEnroll/PasonRootCA_PASONROOTCA-CA(2).crt
  Associated Trustpoints: INT-IT-00-CER-PRO1-CA

--- root CA cert ---
GIR02-70#show crypto pki certificates verbose PASONROOTCA-CA
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 7DDDC26D79CCA0AC43FB3C977EC5151F
Certificate Usage: Signature
Issuer:
cn=PASONROOTCA-CA
Subject:
cn=PASONROOTCA-CA
Validity Date:
start date: 16:29:47 CDT Mar 19 2019
end date: 09:42:12 CDT Sep 12 2029
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: B1BCE85A BC47C428 4217A0F3 47389202
Fingerprint SHA1: 51386996 7DA7D471 EECBB789 8DA5BA42 ADD601C2
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 9CC4D990 565259B2 34A12338 5D7A3E5A 0F4F5295
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: PASONROOTCA-CA

Cisco Doc.
"This option is used to create a self-signed trustpoint certificate for the router that contains the trustpoint name in the Subject Alternative Name (subjectAltName) field. This Subject Alternative Name can be used only when the enrollment selfsigned command is specified for self-signed enrollment in the trustpoint policy."

Hey thanks MHM, could you send me the link for this, please? SAN should be a very common field. I am surprised to know that it is designed to be used only in the self-signed certs..