Installing a certificate on an iPhone for VPN use

MikeM-2468 · ‎03-30-2011

As I chip away at the tasks I need to complete in order to get on demand VPN to work on an iPhone, I'm a bit puzzled as to how I can get the certificate installed on the iPhone. I'm also not sure if I'm exporting the correct cert from the ASA. I'm exporting the identity cert from the ASA but I'm not sure if it should be in PEM or PKCS12 format. I've tried both. I tried putting the cert file in a place that I could get to from Safari. That doesn't work. Tried in email too. Am I on the wrong path completely?

andamani · ‎03-30-2011

Hi Mike,

I understand that you are trying to configure SSL VPN connection with ASA. The following link gives you details of certificates on Iphones.

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iphone.html

Hope this helps.

Regards.

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

MikeM-2468 · ‎03-31-2011

Thanks for the reply. That's the document that I had been working from before. There isn't enough detail in there. I guess my real question focuses more on exporting the identity cert from the ASA but I'm not sure if it should be in PEM or PKCS12 format and neither of those seem to be able to be imported into the phone. In testing, I'm not even able to import either of those into Windows. When I export them, it asks that it be exported with a pasphrase. When I import it in Windows, it asks for a password and the one I use at export doesn't work. Am I trying to use the wrong cert?

MikeM-2468 · ‎04-01-2011

It seems that I should be installing a client or user cert from the CA. I've done both but the option in AnyConnect to use certificates is still grayed out.

MikeM-2468 · ‎04-01-2011

The solution was in exporting the user certificate from my PC's web browser as a .PFX. Importing that into the iPhone (sent via email) worked to enable the Use Certificates option in the AnyConnect client.

scott.parr · ‎02-23-2016

So there is no other solution past using the AnyConnect Client?

I have followed recommendations above - but the option is still greyed out. When I look at the actual cert from a VPN Cert that works (From another system) it shows: VPN Certificate & Certificate... the one I am generating from my CV325 simply states: Certificate. Could this potentially be the issue?

iwearing · ‎06-17-2011

Mike,

I read your post with interest as I have a similar issue. I am using a Micrsoft Internal CA. I have generated a CSR for an Identity Cert for my ASA. I import the CA Root cert and signed Identity Cert onto the ASA.

Im not so sure If I can use the same Certificates on the IPhone or do I need to create an Individual Identity Certificate for each IPhone to be used.

Any comments would be appreciated.

thanks

Ian.

MikeM-2468 · ‎06-17-2011

I wouldn't recommend using the same cert for everyone. I'm using individual certs for every user. That way I can revoke one if I need to and it won't impact all users. In my case, I tested the CRL backwards and forwards so I knew how it would work if I needed to revoke access.

iwearing · ‎06-17-2011

Mike,

Thanks for the update.

Did you have to install the CA Root Certificate and the Identity cert on the IPhone.

thanks

Ian.

MikeM-2468 · ‎06-17-2011

You don't have to install anything but the user cert on the iPhone. You can install the CA just so future certs would be trusted, but it isn't required.

MathewKurian09214 · ‎10-22-2020

I had this issue too. Deploying a certificate to an IOS device and getting the Anyconnect App to recognize the device has a cert.

The way I got my setup to work was I had to use an MDM, Microsoft Intune. Deploy either PKCS cert or you can use SCEP deployment which involves setting up an NDES server.

After you set up your certificate deployment from Intune, you have to also set up a VPN profile deployment. In that VPN Profile deployment select the certificate that you configured from your Intune deployment and save. once deployed to the device you should see the certificated issued to your device in AnyConnect by going into the AnyConnect app, Diagnostics, Certificates. Please see attached screen shot of Intune MDM vpn profile config.