topic Re: Issue: Certificate authentication not working in Secure Access Cli in Secure Access Discussions

Issue: Certificate authentication not working in Secure Access Client

Chinmaya-Naik — Thu, 09 Oct 2025 11:05:19 GMT

User Provisioning and IdP integration is done.

SAML Authentication is working after integrated IdP

GOAL: Certificate Base Authentication for some machine (windows)

I created a new VPN Profile in CISCO SSE Portal and in Authenticate with CA certificates section we uploaded two certificates:

Root CA
Issuing CA

We uploaded both because currently the Organization Domain system having these two certificates.

After uploaded both certificates then we able to see the details on the Certificates section as below:

Issued to:

<XYZ> Root CA

<XYZ> Issuing CA

Purpose: VPN

Issuer: XYZ Root CA and <XYZ> Issuing CA

Serial Number: 221467160578667016xxxxxxxxxx and 7704348077178571089266226439xxxxxx

Expiration Date: August , 2034 and January 2034

When try to connect the AnyConnect client after mentioning the FQDN then getting the below error:

Certicate Validation Failure

NOTE: We also place the XML file (VPN Profile) C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile.

Please let me know the procedure and next steps to resolve the issue and this requirement.

Thanks in advance for your support!

@Chinmaya-Naik

Re: Issue: Certificate authentication not working in Secure Access Cli

Chinmaya-Naik — Fri, 10 Oct 2025 05:57:03 GMT

Dear Community Team,

Kindly help on this.

@Chinmaya-Naik

Re: Issue: Certificate authentication not working in Secure Access Cli

Chinmaya-Naik — Wed, 15 Oct 2025 05:51:48 GMT

Waiting for the update from community.

Re: Issue: Certificate authentication not working in Secure Access Cli

mupakis — Mon, 17 Nov 2025 16:00:12 GMT

Hi,

So the root CAs and Intermediate CAs in Secure Access are uploaded under Secure > Certificates > Client authentication?
If this is fine, which fields to authenticate did you choose in the VPN-Profile Configuration under Authentication?
And, about what kind of devices are we talking trying to authenticate? Maybe also the wrong certificate is used to authenticate from the Device. You can specify the conditions of the Certificate to choose for authentication in the VPN-Profile config under Cisco Secure Client Configuration > Client certificate Settings.

For e.g. it makes sense to choose Windows > User if we are talking about Windows Devices with enrolled User Certificates.
Also further under certificate matching and Key Usage the attributes of the Certificate can be choosen.

You can check these points to verify configuration. You can also reproduce the Problem and create a DART-Bundle. In the DART-Bundle you can find a more specific reason why the authentication is failing.