Cisco Support Community

Error "Certificate is untrusted and have to explicitly accept the certificate" on AnyConnect 3.1




After upgrading AnyConnect package on AS from 3.0 to 3.1 getting error that the certificate is untrusted and have to accept the certificate when trying to automatically login to the website. Is it possible to disable the strict trust setting to avoid this error?


It is strongly recommended that Strict Certificate Trust for the AnyConnect client is enabled for the following reasons:


•With the increase in targeted exploits, enabling Strict Certificate  Trust in the local policy helps prevent man in the middle attacks when  users are connecting from untrusted networks such as public-access  networks.


•Even if you use fully verifiable and trusted certificates, the  AnyConnect client, by default, allows end users to accept unverifiable  certificates. If your end users are subjected to a man-in-the-middle  attack, they may be prompted to accept a malicious certificate. To  remove this decision from your end users, enable Strict Certificate  Trust.


Refer to Enable Strict Certificate Trust in the AnyConnect Local Policy for more information.



Still it is possible to disable Strict Trust Setting by using the local policy editor.



This can also be done manually.


The profile editor can be found as anyconnect-profileeditor-win-3.1.01065-k9.exe at Standalone Profile Editor package on Windows platforms.