cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30955
Views
0
Helpful
5
Replies

Anyconnect "Untrusted Vpn server certificate

Joel.Benson
Level 1
Level 1

some of my VPN-Clients get untrusted certificate for Anyconnect client 3.1 But some do not.

Is there any reason why this would happen I have checked Certs on the tokens and all of them have the correct certs but only some have the issue of untrusted VPN server certification.

Thank you,

Joel

1 Accepted Solution

Accepted Solutions

"Windows does not have enough information to verify this cert" usually means your server certificate is not issued by a trusted CA. You would need to check what certificate is being received by client during SSL handshake with the ASA. The easiest way to do this is through a browser session to the VPN url. You can also capture the ssl handshake using Wireshark and see this if you want.

View solution in original post

5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

Is it possible that there is another device in between presenting another SSL cert? I have seen it happen when clients connect via Hotel wifi. According to your screenshot, it seems to be receiving a cert that

1) had the "issued to" wrong name

2) was issued by an untrusted ca

3) did not have the right Key usage attribute

Chances of all 3 conditions failing seem odd. I would suggest them trying to access the url via a browser and see which certificate they receive back (IE red lock sign near the URL). That will give you an idea of what could be different for these users.

Hope this helps.

I get the red shield, on other users.

It also says that the cert could not be found on the local machine.

Is it that the cert is not being pulled from the token?

The red shield and the error pasted above is seen when the ASA server certificate validation fails. The certs from the tokens, if I understand correctly, are mean for client certificate validation. There are 2 separate steps, with client cert validation taking place after server certificate (ASA) is validated by the client. I do not think they are related.

If you click on the red shield, can you see what certificate details show up? Does it show the subject name of your ASA?

So yesterday I dug deep into this and it is a windows issue not pulling the Certs correctly off of the token.  I thought it was a token to user issue before but on certain client devices it gives you the error of: "Windows does not have enough information to verify this cert"

I appreciate the leads that you gave me. When I check the SSL it gave me that error and when I dug deeper into certmgr.msc it gave me the above error message.

"Windows does not have enough information to verify this cert" usually means your server certificate is not issued by a trusted CA. You would need to check what certificate is being received by client during SSL handshake with the ASA. The easiest way to do this is through a browser session to the VPN url. You can also capture the ssl handshake using Wireshark and see this if you want.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: