I have deployed cisco ISE 2.3 and working as expected but i have issue with guest portal certificate. I have publicly signed certificate but this certificate did not work properly. What i did was i generate certificate signed request from ISE and get it signed from comodo. Then i have import the root certificate given by comodo for the trusted certificate store. I have bind the publicly signed certificate as well.
The issue is Guest Portal URL still get an error certificate not trusted
Assume the certificate has been imported correctly the issue could be with the client computer not having the root certificate in it's certificate store. Can you check to confirm? Some older OSs may not be up to date with the public root certificates.
Alternatively the CN (common name) used in the certificate, is that the same as the DNS name used when accessing the Guest Portal? Can you provide a screenshot of the exact error?
Do you have the right certificate in the store though? From the screenshot, looks like the MAC device is not able to find the chain to link to the root certificate. Apple does not have the "Comodo RSA Domain Validation Secure Server CA" certificate as a trusted CA. This can be verified in the Apple document below which details as the default trusted CA certificates in MAC OS High Sierra:
Another option (and recommended) is to have both the intermediate and root Comodo certificates installed on the ISE before importing the actual guest portal certificate. After this, the ISE should send the whole chain during the SSL handshake. The OS should then be able to validate just the root certificate "COMODO RSA Certification Authority" with SN "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D". Then you won't need to install the intermediate certificate on every machine.
When you mentioned root certificates sent by Comodo was installed on ISE, what are the subject names of those certificates?
Certificates sent by Comodo listed below,
As you suggested we have import Comodo RSA Domain Validation Secure Server CA serial NO - "4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D". You can find this certificate in below link,
Now this issue resolved for the MAC OS but still have with android OS, we found out domain validation certificates for android but could not figure out which one is right one,
The cert that should be installed is the Sha256 one with S/N "2b2e6eead975366c148a6edba37c8c07". Look under the essentialSSL section under this link:
I do recall how android keeps its certificate store and how browsers access it. I would add all the root and intermediate certificates on to the cert store if you can.