Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7876
Views
15
Helpful
5
Replies

Certificate Matching and Certificate Store issue

Go to solution
Rafa
Level 1
Level 1

‎10-27-2017 12:46 AM - edited ‎03-12-2019 04:40 AM

Hi there, just a Little question.

One Month ago, I have changed to the Local CA from the ASA with self signed Certs, created by the ASA self.

I have set the XML Profile to Certificate Store: All and a Certificate Matching.

Now, I have installed the certs in the Trusted People Store.

 

Why does AnyConnect not look in this Store?

Do I Need Admin rights to go to this Store?

 

Best regards

Rafael

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-27-2017 04:25 AM

'All' here represents both User and Machine store. But Anyconnect looks into the Personal store , where user certificates with private keys are usually stored. For User store, you don't need Admin rights, but Machine store usually does. You can grant Anyconnect privileges to look into that store by enabling the Certificate store Override on the XML profile.

View solution in original post

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-30-2017 06:05 AM

Unfortunately, there is no setting to change this on the ASA or the client. The client is always going to check in the Personal store as that is where User certificates (and associated private key) should usually reside on a Windows system. Trusted people store is usually meant for self-signed certs or certs that are explicitly trusted by any application.

View solution in original post

5 Replies 5

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-27-2017 04:25 AM

'All' here represents both User and Machine store. But Anyconnect looks into the Personal store , where user certificates with private keys are usually stored. For User store, you don't need Admin rights, but Machine store usually does. You can grant Anyconnect privileges to look into that store by enabling the Certificate store Override on the XML profile.

Go to solution
Rafa
Level 1
Level 1
In response to Rahul Govindan

‎10-27-2017 04:32 AM - edited ‎10-27-2017 04:33 AM

I thought, I've tried that too, but no success.

 

I will test it again and let you know.

 

Thanks in Advance

Best wishes

Rafael

0 Helpful

Go to solution
Rafa
Level 1
Level 1
In response to Rahul Govindan

‎10-30-2017 05:52 AM

Hi there.

SO I have tested the setting:

CertificateStore - ALL

CertificateStoreOverride - true but no success.

 

The Certs are in the Path: Current User\Trusted People\Certificates

When I copy them to the Folder: Current User\Personal\Certificates, AnyConnect will start the Connection and check with the local CA.

 

Is there any other possibility, to let AnyConenct check in another Store? Not just the personal store?

 

Best regards

Rafael

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-30-2017 06:05 AM

Unfortunately, there is no setting to change this on the ASA or the client. The client is always going to check in the Personal store as that is where User certificates (and associated private key) should usually reside on a Windows system. Trusted people store is usually meant for self-signed certs or certs that are explicitly trusted by any application.

Go to solution
Rafa
Level 1
Level 1
In response to Rahul Govindan

‎10-30-2017 07:37 AM

Ok, so I have to install the certs in the Personal Store.

Thanks a lot for your help.

 

Sincerly yours

Rafael

0 Helpful
Customers Also Viewed These Support Documents