Thanks Neno -  was under the impression that certs were required for AnyConnect authentication  - is that not correct ?

OK, let me expand a bit more. Certificates with AnyConnect VPN can play two different functions:

1. A certificate is needed for SSL based VPNs. AnyConnect VPN is an SSL VPN so it will fall under the same category. The certificate is essentially used to encrypt the connection by creating a secure tunnel. Once the tunnel is up credentials can be passed through it securely. The certificate here can be issued by either the ASA directly (self-signed), issued by an internal CA (Sounds like this is what you are doing) or signed by a public/well-known CA (GoDaddy, VeriSighn, etc). What really matters here is that the remote user/machine trying to establish the VPN trusts the CA that issued that certificate. Thus, it is best practice to use a certificate from a well known/public CA. That way any users/machines (internal or external) will trust the certificate and will never get the "untrusted certificate/site) error when trying to establish the VPN. If you are using a certificate from your internal CA then you have two options:

1. Replace that certificate with one from a well-known/public CA. This won't be free but not expensive either. GoDaddy would be a valid and very low cost solution

2. If #1 is not an option then you have two sub-options:

2.1. The contractors/vendors will have to accept/trust the untrusted connection. This is not ideal and not secure but it is an option. 

2.2. You can export the root CA certificate from your CA and have the contractors import that in their trusted root certificate stores. This is not a security issue for you as you are simply making your CA be trusted by another party.

2. Optionally, the authentication (credentials) can also be certificate based. That way, the user does not have to type a username/password but simply present a valid certificate from a certificate authority that the VPN device trusts. The certificates in this case can be issued by an internal or an external CA. Again, the main thing to remember here is that the ASA must trust the CA that issued those certificates. 

I hope this cleared things up!

Thank you for rating helpful posts!

2.2. You can export the root CA certificate from your CA and have the contractors import that in their trusted root certificate stores. This is not a security issue for you as you are simply making your CA be trusted by another party.

This is where I'm having the issue. I was hoping to use another 3rd party CA as it was assumed this would be a security issue if we exported from our internal root. I'm wondering if I can find definitive documentation on how this is not a risk

I am by no means an expert on certificates/CAs/PKI so please take my answer with a grain of salt :) Also, this sort of question might be best asked on a Microsoft/Symantec/etc type forum. 

However, AFIK, there is not security issues with exporting the root CA's certificate as long as you are NOT exporting and distributing the private key. If you look at your trusted certificate store on your computer you will see tons of root and intermediate CA certificates from different vendors such as GoDaddy, VeriSign, etc. Thus, I doubt such large CAs would put themselves in a bad position and exposing themselves to security issues. The idea here is that you trust those CAs for certificates that they have issued/signed. 

I hope this helps!

Thank you for rating helpful posts!