We are using Cisco Identity Services Engine (ISE) as a portal for Guest Wireless. We have installed a certificate signed by Entrust (All of our certificates are signed by Entrust). We opened each certificate (server, intermediate and root) for the Guest Wireless portal and verified the chain of trust by matching the Subject Key Identifier (SKI) of each certificate to the Authority Key Identifier (AKI) of the next certificate in the chain. We placed the Intermediate and Root in the proper place in Cisco ISE as well as the Server Certificate. We also opened a case with Cisco TAC to verify that everything on the Cisco ISE server was configured correctly. Here is the problem we are having: When a user is using Edge, Chrome or IE as their default browser, the portal presentation page shows a valid certificate. When a user is using the latest version of Firefox as their default browser, they get a non secure certificate warning if they have never visited a site that uses the same Entrust Intermediate certificate. If a user has previously visited a site with the same Intermediate certificate then they get a valid certificate. We verified that the user that gets a non secure certificate warning has the Entrust Root certificate in the "Authorities" section of Certificate Manger. The Intermediate certificate does not appear to get installed in the Firefox browser when the user first connects to the portal. We manually imported the Intermediate certificate and the page loads with a valid certificate. We then go into the options settings and remove the Intermediate certificate, close all open browsers, reload the windows 10 workstation, connect to the portal and the page shows a secure certificate. When we look in the "Authorities" section of Certificate Manger the Intermediate certificate is listed. My question is, why do we have to manually install the Intermediate certificate for this to work in Firefox?