Cisco ISE and Entrust certificates

With all the changes that Third Party Trusted CA’s are making these days, it is important to understand how cert chains work and which intermediate(s) and root certs to import into the Certificate Store in ISE.  This could be a very long post to cover everything, and I don’t claim to understand every aspect by any means, so I’ll cut to the chase and use one of my latest projects as an example.

Something I learned on this project that I probably should have already known, but didn’t, is that when you open a CA-signed cert on your windows machine, you can’t necessarily believe what you see in the Certification Path tab.  You would think that tab shows you the definite cert path for your signed cert.  Alas, that is not the case. What you see is the Windows interpretation of the cert path based on what it has in its cert store.  What you really need to rely on is the cert files sent by the CA when they send the signed cert.  In many cases, the customer will send you the signed cert and simply fail to include the CA files, be sure to ask for them.

Entrust made a change recently which seems to work fine for IE and Chrome, but not for Firefox. Firefox looks at certs a bit differently and will likely be the one to “fail” amongst the three.  So, it is always good to test all three main browsers after you install the CA-signed cert.  Keep in mind that if you make any changes to the cert store, you need to restart ISE services before testing (not when you first add them, only if you make changes).  Also, if you had issues with the cert and were prompted by Firefox to add an exception, you’ll need to remove that exception, close out all instances of Firefox, then open a fresh instance and try again.  You delete the exception by going to your Firefox browser options, click the Advanced tab, then the Certificates tab.  Click the View Certificates button, click on the Servers tab, then scroll down to see the servers listed under your particular CA.  In my case, that was Entrust so I clicked on the fqdn of my ISE server and then clicked the Delete button.  Again, after you do this, you need to close out of all instances of Firefox, open a fresh one, and type in the fqdn for your server (as you included in the CSR).

In my testing, I loaded the CA certs I thought I needed in the cert store, but they didn’t work for Firefox.  So, after some research and learning what I mentioned above, I loaded the correct CA certs.  But, it still didn’t work.  Why I didn’t think to restart the ISE services right away is beyond me, but I didn’t.  However, once I did that, Firefox didn’t complain anymore.  I still see a gray colored lock, but that is because my customer didn’t purchase the EV type of cert that does a deeper verification.  So, in this case, the gray lock is what I should see.  Keep in mind, you’ll see the gray lock once you add an exception as well, so the gray lock doesn’t necessarily mean all is well.  When you click on the lock in the browser, click More Information, then View Certificate, the message at the top should say “This Certificate has been verified for the following uses:” instead of “Could not verify this certificate because the issuer is unknown.”

If you are having this same issue with Entrust, take a look at the following link:

The relatively new G2 root that Entrust has is not yet trusted by Firefox, hence the trust issue.  They have a workaround that does function.  I was told by Entrust that the G2 root may be trusted by Firefox in a future update that could be available in about six weeks.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s