Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AnyConnect and SCEP Certificate Enrollment


Does anyone have AnyConnect working with SCEP certificate enrollment to a Microsoft CA?  I've been attempting to get this working, but so far have had little luck.  I have a Windows Server 2008 Standalone CA with the SCEP service installed and working.  I can use SCEP on the ASA directly to enroll for identity certificates, so I know the service is working properly.

For the life of me, I can't get a AnyConnect to do SCEP enrollment.  I've read the AnyConnect Administrator Guide and followed the instructions to create a SCEP enabled AnyConnect profile.  Whenever I connect to my ASA using the SCEP enabled Group URL, AnyConnect is installed, the profile downloaded to the PC, and AnyConnect connects.  AnyConnect never initiates the certificate enrollment, even though the client PC doesn't have a valid certificate at the time of login.

Any guidance, help, or known good example configurations would be helpful.  I have a case open with Cisco on this, but I haven't gotten a lot of traction yet.  'm hoping somebody here has direct experience with this type of setup.



New Member

Re: AnyConnect and SCEP Certificate Enrollment

Hi Jim,

I'm kinda in the same boat, doing Apple iOS devices with Windows 2008 CA. I can issue the certs fine. Just having issues with the end device connecting using certificates.

If I configure the ASA as the local CA, using client certificates work fine.

Let me know what you find out.



New Member

Re: AnyConnect and SCEP Certificate Enrollment

Let me know if you were able to solve this AnyConnect SCEP Cert enrollment.


New Member

Re: AnyConnect and SCEP Certificate Enrollment


On my issues I just had the certs being issued from the Win CA incorrect, I had to issue the "Web Server" cert to the ASA, then a "Client" cert to the Apple iOS device.  Once I had that all "right" .. everything worked like a charm. 

Each time you change the cert being issued from NDES, I changed the registry to match(I just made copies of the Cert profiles instead of touching the original)  then deploye each out.

Let me know if this helps.

(Sorry about the "huge" delayed repsonse, been swamped. )


Message was edited(spelling) by: Shaun  Bender

CreatePlease to create content