Installing a certificate on an iPhone for VPN use

Unanswered Question
Mar 30th, 2011

As I chip away at the tasks I need to complete in order to get on demand VPN to work on an iPhone, I'm a bit puzzled as to how I can get the certificate installed on the iPhone.  I'm also not sure if I'm exporting the correct cert from the ASA.  I'm exporting the identity cert from the ASA but I'm not sure if it should be in PEM or PKCS12 format.  I've tried both.  I tried putting the cert file in a place that I could get to from Safari.  That doesn't work.  Tried in email too.  Am I on the wrong path completely?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
andamani Wed, 03/30/2011 - 18:02

Hi Mike,

I understand that you are trying to configure SSL VPN connection with ASA. The following link gives you details of certificates on Iphones.

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iphone.html

Hope this helps.

Regards.

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

MikeM-2468 Thu, 03/31/2011 - 04:21

Thanks for the reply.  That's the document that I had been working from before.  There isn't enough detail in there.  I guess my real question focuses more on exporting the identity cert from the ASA but I'm not sure if it should be in PEM or PKCS12 format and neither of those seem to be able to be imported into the phone.  In testing, I'm not even able to import either of those into Windows.  When I export them, it asks that it be exported with a pasphrase.  When I import it in Windows, it asks for a password and the one I use at export doesn't work. Am I trying to use the wrong cert?

MikeM-2468 Fri, 04/01/2011 - 05:23

It seems that I should be installing a client or user cert from the CA.  I've done both but the option in AnyConnect to use certificates is still grayed out.

MikeM-2468 Fri, 04/01/2011 - 08:35

The solution was in exporting the user certificate from my PC's web browser as a .PFX.  Importing that into the iPhone (sent via email) worked to enable the Use Certificates option in the AnyConnect client.

iwearing Fri, 06/17/2011 - 04:30

Mike,

I read your post with interest as I have a similar issue. I am using a Micrsoft Internal CA. I have generated a CSR for an Identity Cert for my ASA. I import the CA Root cert and signed Identity Cert onto the ASA.

Im not so sure If I can use the same Certificates on the IPhone or do I need to create an Individual Identity Certificate for each IPhone to be used.

Any comments would be appreciated.

thanks

Ian.

MikeM-2468 Fri, 06/17/2011 - 05:04

I wouldn't recommend using the same cert for everyone.  I'm using individual certs for every user.  That way I can revoke one if I need to and it won't impact all users.  In my case, I tested the CRL backwards and forwards so I knew how it would work if I needed to revoke access.

iwearing Fri, 06/17/2011 - 06:22

Mike,

Thanks for the update.

Did you have to install the CA Root Certificate and the Identity cert on the IPhone.

thanks

Ian.

MikeM-2468 Fri, 06/17/2011 - 06:25

You don't have to install anything but the user cert on the iPhone.  You can install the CA just so future certs would be trusted, but it isn't required.

Actions

Login or Register to take actions

This Discussion

Posted March 30, 2011 at 9:53 AM
Stats:
Replies:8 Avg. Rating:
Views:13645 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard