AnyConnect and SCEP Certificate Enrollment

Unanswered Question
Feb 13th, 2010


Does anyone have AnyConnect working with SCEP certificate enrollment to a Microsoft CA?  I've been attempting to get this working, but so far have had little luck.  I have a Windows Server 2008 Standalone CA with the SCEP service installed and working.  I can use SCEP on the ASA directly to enroll for identity certificates, so I know the service is working properly.

For the life of me, I can't get a AnyConnect to do SCEP enrollment.  I've read the AnyConnect Administrator Guide and followed the instructions to create a SCEP enabled AnyConnect profile.  Whenever I connect to my ASA using the SCEP enabled Group URL, AnyConnect is installed, the profile downloaded to the PC, and AnyConnect connects.  AnyConnect never initiates the certificate enrollment, even though the client PC doesn't have a valid certificate at the time of login.

Any guidance, help, or known good example configurations would be helpful.  I have a case open with Cisco on this, but I haven't gotten a lot of traction yet.  'm hoping somebody here has direct experience with this type of setup.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Shaun Bender Mon, 02/14/2011 - 17:05

Hi Jim,

I'm kinda in the same boat, doing Apple iOS devices with Windows 2008 CA. I can issue the certs fine. Just having issues with the end device connecting using certificates.

If I configure the ASA as the local CA, using client certificates work fine.

Let me know what you find out.



Tim Stretton Wed, 05/25/2011 - 14:08

Let me know if you were able to solve this AnyConnect SCEP Cert enrollment.


Shaun Bender Thu, 05/26/2011 - 11:11


On my issues I just had the certs being issued from the Win CA incorrect, I had to issue the "Web Server" cert to the ASA, then a "Client" cert to the Apple iOS device.  Once I had that all "right" .. everything worked like a charm. 

Each time you change the cert being issued from NDES, I changed the registry to match(I just made copies of the Cert profiles instead of touching the original)  then deploye each out.

Let me know if this helps.

(Sorry about the "huge" delayed repsonse, been swamped. )


Message was edited(spelling) by: Shaun  Bender


This Discussion