Cisco Support Community
Community Member

Cisco Anyconnect SSL VPN Client Cert Error

Getting an error with Windows 7 and the SSL client.

It's saying that the certificate doesn't match the name of the site you are trying to view. But when you view the certificate it says it's 'OK' and matches just fine with the domain.

Any ideas? This is the first issue we've had with this new VPN solution, (we used Nortel IPSEC before).

Cisco Employee

Re: Cisco Anyconnect SSL VPN Client Cert Error

On the certificate, you need to check what is the "Issue to" say, and when you connect via AnyConnect, you would need to use the same name as what the certificate says.

So if the certificate issue to says: "" for example, then when you connect via AnyConnect, you also need to use "" instead of ip address for example. If you connect via ip address then it doesn't match the certificate issue to, or vice versa.

Community Member

Re: Cisco Anyconnect SSL VPN Client Cert Error

I think you are using a private certificate issued by your own CA and you are not able to reach the CRL list from the ASA to check if the client cert is valid.

In ASDM go to Configuration, Certificate Management, CA Certificates and make sure you have your CA cert installed there.To verify if it is a problem getting the CRL list click the CA cert and Request CRL, nothing will happen if it can't reach it.

Click on Edit and tick Do not check certificates for revocation and you should now not get the certificate validation error message anymore from your client machine. You also won't be able to expire any certs if you leave Do not check ticked, so to fix it:

1) Check that the protocol you use to retreive the CRL is allowed through any firewalls you have, the options are LDAP or http.

2) The ASA's default is to use the CRL list that is stored in the CA cert itself. You can view the url on your client machine if you click view certificate in your browser(IE): Tools,Internet Options, Content, Certificates, View, Details, CRL distribution points. Get the direct url from your cert server adminstrator and fill it in under the CRL retrieval policy tab if you have to. Click Request CRL again to verify that it is working.

Also configure DNS servers that are reachable and can resolve the CRL url from your ASA using the 'name-server' command on the cli.

CreatePlease to create content