Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1458
Views
0
Helpful
2
Replies

How to enable Mac AnyConnect to connect even with expired cert?

AvantiPress
Level 1
Level 1

‎12-23-2016 09:18 AM - edited ‎02-21-2020 09:06 PM

We're in the process of transitioning between VPN products.

The cert for our SSL VPN is expiring on Dec 30, and in order to renew it we would need to upgrade the IOS version on our VPN device (ASA 5510) - because our IOS version does not support SHA2 certificates for this purpose.

Since we're in the process of implementing a Meraki VPN which should be complete mid-January, we do not want to do that.

Obviously this is a bad practice, but we're hoping to determine how to force the Cisco AnyConnect Client for Mac to connect even if the certificate is expired, just until we get the new VPN running, due to our circumstances.

We've tested an older Windows client, which will allow us to connect with an expired certificate, but our Mac client, 3.1.03103 absolutely will not allow us to connect.

Self signed certificates may be a possibility, but if I recall correctly that requires deployment of the self signed cert to the trusted root store on all users' machines.

Any ideas how we can do this, or perhaps a method we're overlooking that will allow us to keep our VPN users going until the January 15th cutover?

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎12-23-2016 03:09 PM

If you use the self-signed certificate option, users can still connect if they ignore the warning and click 'Connect Away'. Drawback is that they will get that error each time they connect and it is a hassle if you have to communicate this messaging to everyone if there are a lot of users.

I am not sure if this is an option, but some CA's allow to rekey the certificate for free . You could create a new sha1 cert and rekey the cert to use sha2 algorithm (hopefully for free) after you have upgraded the ASA version. This should ensure enough time for you to plan an upgrade without service interruption for vpn users. Best check with the CA support team if this is an option.

0 Helpful

AvantiPress
Level 1
Level 1
In response to Rahul Govindan

‎01-04-2017 08:00 AM

Thanks for the reply, Rahul.  Unfortunately our CA will only generate SHA2s.  What we've done is to switch our Mac users over to IPSec using a shared secret instead of a cert.

0 Helpful
Customers Also Viewed These Support Documents