Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
1
Replies

Public Key Pinning with the AnyConnect Client

Sleepw4lker
Level 1
Level 1

‎07-23-2013 12:10 AM - edited ‎02-21-2020 07:02 PM

Hello everyone,

does anybody know if there's the possibility to pin the public key of the CA that signed the identity certificate on the ASA, so that if a MITM attack would occur (which would probably change the public key of the cert visible to AnyConnect), the connection would be impossible.

I noticed that there's a field for a "CA thumbprint" under the Server List in the profile manager. Is this what I'm searching for?

Thanks in advance and kind regards

Labels:
0 Helpful
1 Reply 1

Jan Rolny
Level 3
Level 3

‎07-23-2013 12:36 AM

Hi,

i think in case MITM will occur so Anyconnect client will warn user that certificate does not match.

I am not sure about "CA thumbprint " but there is another feature on client side called FIPS mode it would meet your requirements.

Try this document:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac04localpolicy.html

Best regards,

Jan

0 Helpful
Customers Also Viewed These Support Documents