Cisco Support Community
Community Member

AnyConnect machine certificate validation error


I'm trying to get certificate authentication to work for AnyConnect (3.1.02040) using already existing certificates in the machine store (Windows 7 clients).

I get the choose certificate prompt, but when I choose the correct certificate I just get a "Certificate validation failure" error.

So I tried and install a certificate from my lab CA - also in the machine store. And that worked as a charm.

When comparing the logs from DART - I see the following error message from the non-working certificate:


Date        : 07/25/2014
Time        : 11:39:02
Type        : Error
Source      : acvpnui

Description : Function: CTransportWinHttp::SendRequest
File: .\CTransportWinHttp.cpp
Line: 1146
Invoked Function: HttpSendRequest
Return Code: 12186 (0x00002F9A)


After googling I found someon explaining the error code as:

"This is a WinInet/WinHttp error 12xxx will always be one of these.

what it means is you don't have the rights to access the private key for this Client certificate."

Is this correct, and in that case how do I fix the access rights for the certificate?



Everyone's tags (1)

Hi , Does your workstation

Hi ,


Does your workstation has adminstration rights? If so you need to execute with admin access to do so....




Community Member

This was my first idea as

This was my first idea as well, however the new certificate works both with standard user right and of course admin - however the old certificate doesn't work either way.

Hi Clarlie,Hmmm.... Very

Hi Clarlie,

Hmmm.... Very strange....  But when you check the old certificate information like the validity / vendor / trusted CA's something related to cert... do you see any issue or compatability issue? or not matching with the trusted one's?




Community Member

I've started to look through

I've started to look through the certificates again now and stumbled across the "Manage private keys.."-option.

The working certificate had a SID with read rights besides the system and administrator rights. So I tried just adding read rights for the domain users group to the old certificate, and it just started working!

Which is weird since it didn't work regardless of running AnyConnect as admin or not. Well well, at least it works. Thanks for taking the time Karthik!

Hi Charlie, Great to hear at

Hi Charlie,


Great to hear at last it works!!!

Because the certificates in new devices / systems has such compatability or some junk issues with older ones......




CreatePlease to create content