We already had all the crl.* entries. Adding the ocsp.* entries fixed the issue for us. 

Thanks!

---
Dennis Xu
Network Analyst, Computing and Communication Services
University of Guelph
5198244120 x 56217

----- Original Message -----
From: "Don Nightingale" <[log in to unmask]>
To: [log in to unmask]
Sent: Monday, July 9, 2012 11:29:15 AM
Subject: Re: Apple Safari users get certificate warning from CAS server

Macs started using ocsp by default in the latest release.  The servers 
used aren't in the default allowed hosts list for the 
unauthenticated/temp roles.

Try adding the ocsp.* host entries for your cert provider in the 
unauthenticated and temp roles.  This cleared up the problem for us (CCA 
4.8.2).

--
Don



On 7/9/2012 11:07 AM, Kelly Slone wrote:
> I have noticed the same issue with a new cert we have installed for our guest
> wireless implementation of ISE.  The "invalid certificate issuer" error is
> only seen from clients running 10.7.x Lion that are using Safari.  We do not
> see this issue on ipads, iphones, windows machines, or other OS X versions
> even including the latest developers seed of 10.8 Mountain Lion.
>
> Thank you,
>
> Kelly Slone, B.S., MCP
> Telecom Specialist II
> Marshall University Computing Services
> Drinko Library DL 434A
> Office:  304-696-6109
> Helpdesk:  304-696-3200
> [log in to unmask]