Does ALL Anyconnect VPN need certificate ?

eigrpy · ‎07-24-2015

Hi, I am new to Anyconnect VPN. maybe my question is a little strange. I would like to know if certificate is required for ALL Anyconnect VPN ? I guess most of them need it. Do you think so ? If so, can I export the certificate from the ASA and then import the certificate into PC. Do you think if this is a good way ? Thank you!

Dinesh Moudgil · ‎07-24-2015

Since Anyconnect is based on SSL VPN, so the first time you try to connect , you get prompted with certificate on the ASA.

If you have a dedicated certificate installed on the outside interface, then that will be shown to client else ASA randomly generates a certificate and sends it to the client.

So when you you try to connect, it gives you the untrusted server certificate error and that is expected behavior.

If you have small deployment, create a self signed certificate on ASA , apply it on outside interface and install that on the user's machine. Else , you can get third party certificate for the ASA in case of large deployments and then you won't have to push the certificate to every machine.

Here is a link that you can refer to create self signed certificate on ASA for WebVPN/Anyconnect VPN.
https://supportforums.cisco.com/document/44116/asa-self-signed-certificate-webvpn

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

eigrpy · ‎07-24-2015

Thank you so much for your reply. Let's suppose the ASA has been installed with certificate, and remote PC does not have any certificate. If the PC try to log onto the ASA through web page, the PC should be refused, right ? How about this: can we export certificate from the ASA and then import the certificate into the PC. Do you think it is all right ?

Dinesh Moudgil · ‎07-24-2015

Yes, if that certificate is self signed certificate , then PC will be given UNTRUSTED SERVER CERTIFICATE error.

And yes, we can export the certificate from ASA and import it to PC.
Here is the link for exporting self signed certificate:-

https://supportforums.cisco.com/document/12466681/how-export-asa-identity-certificate-through-asdm

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

eigrpy · ‎07-24-2015

Excellent! I just did it based on what you said above.

I got a "Certificate error" message in address bar of IE. Please see screenshot in attachment. I do not know if I did something wrong during the exporting and importing certificate

Dinesh Moudgil · ‎07-24-2015

Can you confirm if the certificate has been installed in Trusted Root Certification Authorities folder under User Store. I just tested this and it works fine.

Here are the snippets for your reference:-

Verify the certificate in the MMC console of the workstation:-

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

eigrpy · ‎07-25-2015

Thank you for your reply. I tried it and it cannot work. I also can get all message like what you did above. I doubt the certificate can work well. So I want to test it again in another isolated system. I will get back here after that test. You are welcome to that post too. Thank you again.

https://supportforums.cisco.com/discussion/12566311/where-web-page-located-asa-when-we-set-anyconnect-vpn