Cisco Support Community

ASA self-signed certificate for Anyconnect 3.1, which attributes?

Hi everybody,

I can't find the detailed information which attributes are exactly needed for the Anyconnect 3.1 client to correctly identify the VPN server -ASA 8.4(4)1

I have added two servers in the client connection profile:

  1. IP address, primary protocol IPsec
  2. IP address/non-default port number, primary protocol SSL

Connecting via IPsec only issues a warning about "untrusted source" (I didn't import the certificate as trusted, but that's not the issue)

Connecting via SSL issues an additional warning "Certificate does not match the server name".

The self-signed certificate (created with ASDM) includes the IP address as DN cn, additionally as alternate identity "IP address". I have exported the certificate and parsed it with openssl (after re-encoding to PKCS#12 DER) and apparently no attributes are included.

I would like to give it a try with certtool and openssl to generate a self-signed certificate which is accepted by the Anconnect 3.1, where can I find a detailed description, which attributes are required for Anyconnect SSL sessions? I'm convinced the identity (DN cn) is OK.


ASA self-signed certificate for Anyconnect 3.1, which attributes

Shamelessly bumping this question,

Anyone out there (maybe from Cisco) who can tell us, which atttributes are required on a self signed certificate?

I keep getting "Certificate does not match the Server Name" for SSL-VPN, IPsec-VPN is fine for the same server.

CreatePlease to create content