Showing results for 
Search instead for 
Did you mean: 

Cisco AnyConnect Secure Mobility Client selecting wrong certificate at startup

Level 1
Level 1

I have a problem that is driving me nuts.

Here is the pertinent information first...

Windows 7

Cisco AnyConnect SecureMobility Client 3.0.4235

Cisco ASA 5510 firewall 8.2

The problem is..

...When I log in, the client does its start-up bit, and then displays a "This certificate is intended for the following purpose(s):" message.  If I decline the certificate, it gives me the error message shown in the image, but I can otherwise continue and establish my VPNs with no problem. 

Unfortunately, the certificate it selects has nothing to do with my organization  ( in fact, the certificate is for "*"  - see images).  To make matters worse, I can not find this referenced certificate anywhere under my user context in Windows.

I have tried removing, rebooting, and re-installing - it does no good.

How do I force the client to stop using this incorrect certificate, and to at least use one that belongs to my organization? 

Thank you,


7 Replies 7

Jason Jeanveau
Level 1
Level 1

I have the same issue, al;most exactly - the only difference is that I am using version 2.5.3055 of the AnyConnect client.

When I try to connect to my VPN, I get the same * certificate coming up, and whether I accept, decline or cancel, I am unable to connect. I CAN connect if I access my VPN using the webvpn link.

Hopefully someone finds a solution for this, because i have a lot of users that connect to my VPN.


Try editing the profile to look for the cert you want.  I have mine looking for certs with a certain ou.

The issue does not seem to be with the user certificate, it seems to be with the site certificate. When I open the AnyConnect client, I have it set to ask which certificate to use. I select my certificate, but it is after that point where the error occurs, as if my ASA is sending out the * certificate.

I have not made any changes to my certificates since February, and this issue only began on May 4th.

After some more troubleshooting today, I tried a few more steops, and have been successful:

1) I removed my device certificate from the interfaces it was assigned to

2) I completely rebuilt my AnyConnect profile .xml file, and assigned it to the relevant group

3) I reenabled the device certificate on my interfaces.

Once thatw as done, my connections are working properly, and the issue with the * certificate are gone.

I hope this hels someone else, because this drove me crazy for a few days.



Another update to this issue:

The *.whitepages certificate has come back. It still only happens when I try to connect to my gateway by FQDN. If I use IP address, I don't have this problem. I have not been able to find any other peson who is experiencing this issue, but it's strange that we would both be having the problem with the same certificate name.

Win7 32bit

Client 3.0.08057

ASA5510 8.4(4)1

I have almost the exact same issue. What I think happens is that the anyconnect client list the certificates that are in the user certificate store of the Windows 7 machine. Unfortunately it does display the already installed user certificate from the ASA. I got around this issue by adding Certificate Matching to my client Profile. I used the ISSUER-CN for matching. And now it works smoothly.

I've come across this issue also. I've put in values for Certificate Matching BUT it only applies AFTER the first login attempt. So the first login attempt, it will use the wrong cert, user logs out, then on the second login attempt it reads the newly downloaded connection profile, identifies the certificate matching value, and then denys the login unless the proper certificate is in place.