Showing results for 
Search instead for 
Did you mean: 

Anyconnect Client Certificate


Can someone advise on what type of certificate is needed on the client machines. We are using an internal MSFT CA configured w. our ASA. Are there any instructions on the type of certificate template or any specific fields,etc needed for the clients which will just be home machines. We are not using SCEP so can we generate certs internally and supply to the clients as needed?

9 Replies 9

Cisco Employee
Cisco Employee

please see the below link:

the certificate type should be : user certificate

you can generate the certs internally and then install on the individual client machines

Does this configure use the Essentials or Premium license?  If essentials, can it used with CAC?

you would need an essential or a premium license if you want to connect more than 2 users.

Please specify what CAC is?

Well I have the essentials and trying to connect with certificates (CAC-common access card).  but I keep getting errors when using the LDAP with certificates.  No users are able to login without a ID/PSWD.  Which I cannot use.  Here is a copy of my config....

do you have the root cert on the ASA from which the client certs have been issued?

also is the trustpoint applied correctly on the outside interface?

please share the debug outputs of the following when the client tries to connect:

debug crypto ca messages 255

deb crypto ca transac 255

debug cry ca 255




yes the root cert is installed on the ASA.  along with this trust point

crypto ca trustpoint ID-Root



output of show run ssl

and the above mentioned debugs

Result of the command: "sh run all ssl"

ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside vpnlb-ip
ssl trust-point ASDM_TrustPoint1 outside


Result of the command: "sh asp table sock"

Protocol  Socket    Local Address               Foreign Address         State
TCP       004467af*               LISTEN
SSL       004470ef*               LISTEN
TCP       0005692f    *               LISTEN
SSL       00c8b6cf   *               LISTEN
DTLS      0088911f   *               LISTEN
SSL       004b24c8    ESTAB
SSL       000cfaa8    ESTAB
SSL       004c9f18    ESTAB


I am still getting that crypto errors and wounder if you have any ideas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers