Hi,

I'm setting up AnyConnect VPN on a C897vaw router. I have managed to complete the process, however, Google, in their infinite wisdom have changed things in Chrome (58), whereby, the certificate must have a subject alternative name (SAN) extension. Fallback to common name is not enough. (I'm surprised there aren't more hits on this, especially as 58 is fairly old now). Therefore, I get SSL errors when browsing to the head page.

After trying various commands under ca-trustpoint such as fqdn vpn.mydomain.com and subject-alt-name vpn.mydomain.com, I have discovered there is a bug introduced in 15.1 that hasn't been fixed, meaning neither of these commands correctly add the SAN extension.

To get around this bug, I have tried to use openssl to generate the CSR with the SAN extension and signed it with Active Directory certificate authority (ADCA), however, at the last hurdle, when running  I get the error:

# crypto pki import ADCA certificate

Paste router certificate...

Cannot import certificate -
   Certificate does not contain router's General Purpose public key
   for trust point ADCA

% Failed to parse or verify imported certificate

I understand this to mean I need to use the router's public key, meaning I have to generate the CSR on the router, that is no use as it can't generate a CSR with a SAN.

Can anyone suggest a workaround (that doesn't entail linking my CA to the router) or perhaps there is a way to get this work, using openssl tools? Is it possible to download the router's "General public key"?

TIA.