I generated an Enterprise CA on my domain (secops), and I'm trying to generate an identity cert for a client network so we can use Duo with FMC/FTD. Everything is working from "MY" domain joined computer (following the Microsoft/ISE export/CSR process), I have my ACC-ROOT-CA, pasted the contents into the FTD > Add Cert Enrollment > CA Certificate|Manual page, generated CSR, took the contents and back to the CA server to sign the cert, getting the .cer with my client's certificate information (O=IT, etc). My client gets an authentication server failed and so do I from any non-domain joined computer. How do we create a cert such that any computer with that cert stored in the Trusted Root Cert Authority can pass authentication? Once that is resolved, it will all work b/t Duo SSO and RAVPN with FTD!

I determined that using the ISE Computer/User auto-enrollment cert methodology, my domain computers authenticate with Duo SSO/SAML 2.0 no problem. Non-domain computers have the issue.  Upon visiting sslshopper, entering vpn.domain.com the certification path requires an Intermediate CA/Sub CA for this to work.  I'm building the Sub CA to satisfy this requirement.  It looks like the non-domain computers require both the Root CA certificate imported into the Local Computer > Trusted Root Certification Authority and the Identity certificate is imported into Personal > Certificates which was completed, however, in the FMC, the process was to take the contents of the Root CA paste into the Manual certificate textbox and then generate a CSR from the FMC, which I thought would remove the need to import the Root CA.  I'm not sure if you have any thoughts on that.  I'll let you know the results after installing the Sub CA.