cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1345
Views
25
Helpful
4
Replies

New iOS Anyconnect Client won't install ASA CA client certs

85MikeTPI
Level 1
Level 1

We use the ASA as a CA for some client certs as 2FA when needed.  Now that iOS 12 requires the new Anyconnect (non-legacy) client, we find it will no longer install these certs.  I've even exported the cert from the ASA and manually installed it in the keychain, but Anyconnect refuses to find/acknowledge it.

 

I've read that the SHA1-only certs that ASAs produce could be the problem, does anyone have a work-around?

 

4 Replies 4

SHA-1 is declared as unsupported by many manufactures such as apple and
Microsoft.

You need to move to SHA-2.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200602-Configure-ASA-as-a-Local-CA-Server-and-A.html

 

Guidelines and Limitations

  • The ASA as of now acting as a Local CA server only supports generation of SHA1 certificates.

 

So while that is an ideal suggestion, in practice my question still remains unanswered.

Rahul Govindan
VIP Alumni
VIP Alumni

I don't know if there is any easy way around it. I do not think Sha2 certs have been implemented on the ASA as local CA yet.

 

Have you tried the workaround provided by the user in this thread:

 

https://community.cisco.com/t5/vpn-and-anyconnect/new-anyconnect-ios-app-certificate-auth-failing/m-p/3753842/highlight/true#M147777

Unfortunately, enhancement bug for Sha2 local CA certs has not yet been fixed:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux74639