Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1206
Views
25
Helpful
4
Replies

New iOS Anyconnect Client won't install ASA CA client certs

85MikeTPI
Level 1
Level 1

‎02-27-2019 08:12 AM - edited ‎02-21-2020 09:34 PM

We use the ASA as a CA for some client certs as 2FA when needed.  Now that iOS 12 requires the new Anyconnect (non-legacy) client, we find it will no longer install these certs.  I've even exported the cert from the ASA and manually installed it in the keychain, but Anyconnect refuses to find/acknowledge it.

 

I've read that the SHA1-only certs that ASAs produce could be the problem, does anyone have a work-around?

 

Labels:
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎02-27-2019 07:47 PM

SHA-1 is declared as unsupported by many manufactures such as apple and
Microsoft.

You need to move to SHA-2.

85MikeTPI
Level 1
Level 1
In response to Mohammed al Baqari

‎02-28-2019 03:49 AM

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200602-Configure-ASA-as-a-Local-CA-Server-and-A.html

 

Guidelines and Limitations

  • The ASA as of now acting as a Local CA server only supports generation of SHA1 certificates.

 

So while that is an ideal suggestion, in practice my question still remains unanswered.

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-28-2019 05:34 AM

I don't know if there is any easy way around it. I do not think Sha2 certs have been implemented on the ASA as local CA yet.

 

Have you tried the workaround provided by the user in this thread:

 

https://community.cisco.com/t5/vpn-and-anyconnect/new-anyconnect-ios-app-certificate-auth-failing/m-p/3753842/highlight/true#M147777

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Rahul Govindan

‎02-28-2019 07:06 AM

Unfortunately, enhancement bug for Sha2 local CA certs has not yet been fixed:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux74639

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents