Showing results for 
Search instead for 
Did you mean: 

VPN Anyconnect not connecting using certificates

Christian Jorge
Level 1
Level 1

Good morning


We are facing some issues to connect Anyconnect via certificates.

Our goal is authenticate VPN user with certificate and also with LDAP login. LDAP login / LDAP attribute-map has been working fine before including certificates.

We are using our certificate authority server. Only need to input certificate chain (root / subordinate) (as so identity certificate) on the firewall and the performing the same in all the VPN client machines.

VPN clients searchs for fqdn related to firewall interface. Firewall identity certificate presents DN with this public name (ex:


But even trying this, VPN connection fails in first steps, like not recognizing certificates. I'm afraid that both sides are not using the exact certificate template or something is mismatched.

...and still presenting that warning/not trusted certificate message.


Follow errors and configuration




#Firewall version:

Cisco Adaptive Security Appliance Software Version 9.1(6)4

#Anyconnect version: anyconnect-win-3.1.10010-k9.pkg





crypto ca trustpoint VPN_Root_CA
enrollment terminal

crypto ca trustpoint VPN_Sub_CA
enrollment terminal
keypair VPN_CA_keypair

crypto ca trustpool policy

tunnel-group VPN_ANYCONNECT_Client type remote-access
tunnel-group VPN_ANYCONNECT_Client general-attributes
   authentication-server-group VPN-LDAP-AUTH

tunnel-group VPN_ANYCONNECT_Client webvpn-attributes
   authentication aaa certificate


ssl trust-point VPN_Sub_CA internet
  ssl server-version tlsv1




#Debug messages


firewall/pri/act# Public archive directives retrieved from cache for index 1.
CERT_API: PKI session 0x0f4aa721 open Successful with type SSL

CERT-C: E ../cert-c/source/certobj.c(870) : Error #722h

CRYPTO_PKI: can not set ca cert object (0x722)
SSL verify callback: Failed to add the ID cert to the PKI sessionCERT_API: Close session 0x0f4aa721 synchronously
CERT_API: PKI session 0x0fb518d9 open Successful with type SSL

CERT-C: E ../cert-c/source/certobj.c(1516) : Error #701h

CERT-C: E ../cert-c/source/certobj.c(1528) : Error #72ah

CERT-C: E ../cert-c/source/certobj.c(874) : Error #72ah

CRYPTO_PKI: can not set ca cert object (0x72a)
SSL verify callback: Failed to add the ID cert to the PKI sessionCERT_API: Close session 0x0fb518d9 synchronously
Public archive directives retrieved from cache for index 1.
Public archive directives retrieved from cache for index 1.


6    Sep 25 2015    19:15:47    725003    21750            SSL client internet: request to resume previous session.




Any ideas?







4 Replies 4

Cisco Employee
Cisco Employee

Is the ASA's IS cert generated from a 3rd part CA?

if not, then the untrusted cert warning is expected

We have 2 trustpoints: one related to Entrust (an well-known CA for browsers) and another related to a customer internal CA.

Customer consider two VPN groups: one group for internal users and another group for partner/3rd party users.

Internal users must use machine-certificate for VPN autentication. For this task, we are considering "authentication by certificate" in webvpn section in tunnel-group, as usual.

We have configured "ssl trust-point" linked do internal CA trustpoint and all internal users have internal CA certificate both in theirs browsers as so as related to their machine-certificate.

Partner/3rd party users don't need to use certificate for authentication, only user/password login.

But they are facing hard work to install anyconnect from ASA in their personal machines due to initial certificate connection with ASA (probably that first step when connecting via browser and internal CA is untrusted). Remember that ASA consider internal, not well-known CA for browsers, SSL certificate assigned to Internet interface.

Entrust certificate/trustpoint is configured, but not used or assigned to anything in firewall.

Question is: is there any way to assign internal truistpoint for internal customer users for VPN machine authentication and use Entrust trustpoint for partner/3rd parties install correctly anyconnect via browser?

What I've found so far: one firewall interface only can have one ssl trustpoint assigned.
Is there any other way I could not see so far?



Complementing my last post...

Considering this old forum post:

and rebuilding my question:

Is it really possible authenticate differente anyconnect VPN sessions by firewall trustpoints different that one assigned to "ssl trust-point" in Internet interface?

VPNs are already in production so I can't lose my shot testing blindly.



Hi All,

Just wondering if this problem was ever solved?



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: