I firgured out what mistake i was makeing earlier and was able to import the cert chained in different ways. I tried leaf with one intermediate, with both intermediates, then added root. The automatic login page that popped up threw the cert error each time.
I then started to look at my device. I went into settings and found the list of trusted CA. I was able to find Entrust root, and G2 listed there with the exact same name as to what my login page uses, but they have different serial numbers, different validity dates, etc. Could that be my issue? Is it just that the CNA is not smart enough to see my cert is valid?