Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnect and Certificate

AnyConnect needs a Digital Certificate to identifies the client.

Is it true that NOW it is necessary to use a certificate issued by a recognized authority and is no longer possible to use self-signed certificates?

Best regards

Claudio

  • VPN
Everyone's tags (3)
1 REPLY
Hall of Fame Super Silver

AnyConnect and Certificate

Are you asking about a client certificate or an ASA certificate?

By default, the AnyConnect client connecting to an ASA validates the ASA's identity by checking the certificate that the firewall presents. There is a checkbox in the AnyConnect client settings to "Block connections to Untrusted servers". It is checked by default. When that box is checked, the client will not connect to an ASA with a self-signed certificate (that has not been imported in the client's trusted certificate store). You can either uncheck the box (if allowed by policy - not generally recommended as it then allows all certificates), import the ASA certificate into your trusted store, or get a certificate signed by a trusted root CA (public or otherwise).

Client certificates (if used) must also be issued by a certificate authority recognized by the ASA. I've not seen people use self-signed client certificates in a production environment as they have little backing validating them.

197
Views
0
Helpful
1
Replies