cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2304
Views
35
Helpful
9
Replies
Beginner

Guest Portal URL Certificate Issue ISE 2.3

 Hello

 

I have deployed cisco ISE 2.3 and working as expected but i have issue with guest portal certificate. I have publicly signed certificate but this certificate did not work properly. What i did was i generate certificate signed request from ISE and get it signed from comodo. Then i have import the root certificate given by comodo for the trusted certificate store. I have bind the publicly signed certificate as well.

 

The issue is Guest Portal URL still get an error certificate not trusted  

9 REPLIES 9
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Guest Portal URL Certificate Issue ISE 2.3

Hi,

Assume the certificate has been imported correctly the issue could be with the client computer not having the root certificate in it's certificate store. Can you check to confirm? Some older OSs may not be up to date with the public root certificates.

 

Alternatively the CN (common name) used in the certificate, is that the same as the DNS name used when accessing the Guest Portal? Can you provide a screenshot of the exact error?

Beginner

Re: Guest Portal URL Certificate Issue ISE 2.3

HI RJI,

 

Thanks for your reply. Yes CN (common name) of the certificate used same as the DNS name used when accessing the Guest Portal.

I have attached a screenshot of the exact certificate error.

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Guest Portal URL Certificate Issue ISE 2.3

OK, Just checking.

So I'm guessing the Comodo Certificate chain is not trusted by your browser. Can you open the link without error in IE? Can you check the machine trusted root certificate authority store...
Beginner

Re: Guest Portal URL Certificate Issue ISE 2.3

NO in IE same error occurred. I checked the machine trusted root certificate store also comodo certificates available in the store.
VIP Advocate

Re: Guest Portal URL Certificate Issue ISE 2.3

Do you have the right certificate in the store though? From the screenshot, looks like the MAC device is not able to find the chain to link to the root certificate. Apple does not have the "Comodo RSA Domain Validation Secure Server CA" certificate as a trusted CA. This can be verified in the Apple document below which details as the default trusted CA certificates in MAC OS High Sierra:

 

https://support.apple.com/en-us/HT208127#trusted

 

Another option (and recommended) is to have both the intermediate and root Comodo certificates installed on the ISE before importing the actual guest portal certificate. After this, the ISE should send the whole chain during the SSL handshake. The OS should then be able to validate just the root certificate "COMODO RSA Certification Authority" with SN "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D". Then you won't need to install the intermediate certificate on every machine. 

 

When you mentioned root certificates sent by Comodo was installed on ISE, what are the subject names of those certificates?

 

 

Highlighted
Beginner

Re: Guest Portal URL Certificate Issue ISE 2.3

 

 

Beginner

Re: Guest Portal URL Certificate Issue ISE 2.3

HI Rahul,

 

Certificates sent by Comodo listed below,

 

  • Root CA Certificate - AddTrustExternalCARoot.crt
  • Intermediate CA Certificate - COMODORSAAddTrustCA.crt
  • Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
  • Your Free SSL Certificate - myauth_boc_lk.crt

 

As you suggested we have import Comodo RSA Domain Validation Secure Server CA serial NO - "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D". You can find this certificate in below link,

 

https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2

 

Now this issue resolved for the MAC OS but still have with android OS, we found out domain validation certificates for android but could not figure out which one is right one, 

 

https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate

 

Re: Guest Portal URL Certificate Issue ISE 2.3

i have this problem too.
when i import Comodo RSA Domain Validation Secure Server CA serial NO - "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D certificate this issue resolved for mac high sierra OS.
But still android OS face this issue ?? i found out that only SHA1 and SHA256 certificate available on android OS. so any one can figure out which certificate will resolve this issue.
VIP Advocate

Re: Guest Portal URL Certificate Issue ISE 2.3

The cert that should be installed is the Sha256 one with S/N "2b2e6eead975366c148a6edba37c8c07". Look under the essentialSSL section under this link:

 

https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate

 

I do recall how android keeps its certificate store and how browsers access it. I would add all the root and intermediate certificates on to the cert store if you can.