top of page

Cisco Anyconnect with certificates

First of all, let's be sure you setup the basics on the ASA.With that I mean:

Configure up your interfaces, routing, clock, timezone, NTP server, domain-name and NAT exemptions for SSLVPN Anyconnect client address pools.

You only have to configure up the NAT exemptions if you are using NAT control or the pools fall inside of an existing NAT rule. I cannot emphasize enough the importance of having a reliable time when using certificate based authentication. Be sure you set up NTP and verify that it is working with the following command:

show ntp status

Next, we need to configure up our ASA CA server. In order to accomplish this do the following on the ASDM:

Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority. Click on CA Server. Check to enable the CA server. Fill out the form. 1) Check "create certificate authority server" 2) Type in a strong passphrase to protect your new root certificate 3) Leave the rest of the top part of the form at the defaults 4) Under "SMTP Server" enter the IP address of your corporate smtp mail server. This will be used to send enrollment emails to new users. It provides them with instructions on how to obtain their new identity certificate. Email is the preferred method for obtaining user certficates.

However it can be done manually as I'll describe later. 5) Add a "from address" and an email subject line 6) Click Apply

Configure a trusted identity certificate on your ASA. It is important that you use an identity certificate from a trusted CA source for your ASA. An ASA identity certificate is the certificate that the ASA will hand out to the sslvpn clients that connect to it. In order for everything to work correctly the certificate must match the ASA hostname/IP address. Also, the end-users client must trust the CA that generated the ASA's identity certificate.

A self-signed or other non-trusted CA cert is fine for testing but not for production. In fact, I recommend that you don't even bother testing without a full "real" ASA identity certificate at all. Too much could go wrong when you switch certificates later. Within ASDM you can sign up for a special promo certificate from Entrust if you'd like but any trusted public CA will do the trick. To configure the identity certificate on your ASA do the following:

1) First obtain your identity certificate. Make sure it is in PKCS12 format. Also, be sure it includes the complete certificate chain.

2) Go to Configuration > Remote Access VPN > Certificate Management > Identity Certificates. Click Add.

3) If your ASA will be in DNS then you can use the FQDN as the identifier in the certificate. If it will not be in DNS (only during testing, for production it must be in DNS) then be sure to use the IP address as the identifier.

4) That's it your done! However, if you need to do it the hard way by using a certificate signing request then proceed to setups 5 through end below.

5) If you need to generate a certificate signing request from the ASA then instead of doing step 2 do the below instead.

6) If you will be using only IP address to get to the ASA then be sure to click on advanced and fill in the IP address field.

7) Click add certificate when done.

8) Now click on export. This will give you the cert request that you can deliver to your CA.

9) Once your CA gives you a cert go back here and click install. Browse to the file they gave you and install it.

10) You're done! Now we need to setup our SSLVPN on the ASA. In this example I'll just be doing Cisco Anyconnect setup. The easiest way is to use the sslvpn wizard in ASDM. (GUI and easy peasy) So go there now (top bar > wizards > sslvpn). I'm keeping it simple and using the local user database but feel free to use ldap or radius instead for authentication.

Common Issue:

If you secure your Anyconnect with certificates, you may see a popup like this:

When you simply want it to connect without prompting.


If you want to get rid of this popup you have to the following. You need to edit the profile for your AnyConnect so that, you ‘UNTICK‘ Disable Automatic Certificate Selection. I know that sounds like the opposite of what you want to do, but welcome to the world of CISCO ! :)))))

TRADEMARK LEGAL NOTICE All product names, logos, and brands are property of their respective owners in the Austria or other countries.All company, product and service names used on this website are for identification purposes only. Pheniix is notaffiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, Openstack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies.Use of these names, logos, and brands does not imply endorsement.The opinions expressed on pheniix are personal perspectives and not those of Cisco , Dimension Data or any other company. Pheniix runs as an independent blog.

bottom of page