Certificate validation failure while using cisco anyconnect with pfx certificates
Solution 1
AnyConnect supports PEM format client certificates for authentication. Check administrator guide on how to configure client certificates for Linux platform. Copy the client certificate to the folder ~/.cisco/certificates/client
and the private key to ~/.cisco/certificates/client/private
. Also -
- All certificate files must end with the extension .pem.
- All private key files must end with the extension .key.
- A client certificate and its corresponding private key must have the same filename. For example: client.pem and client.key.
Solution 2
You can use openconnect:
- Install it:
sudo apt-get install network-manager-openconnect-gnome
- Convert
.pfx
cert to.pem
openssl pkcs12 -in file.pfx -out file.pem -nodes
- In your GNOME / KDE open
Settings
>Network
menu. In standard VPN settings you should seeCisco AnyConnect Compatible VPN
item: Network menu
Related videos on Youtube
Rocketq
Updated on September 18, 2022Comments
-
Rocketq over 1 year
I have installed cisco anyconnect secure mobile client 4.2.01022 (+all required packages).
Then added
.pfx
certificates tognone2-key
storage.Then I launched cisco anyconnect secure mobile client typed where to connect - but cisco keep saying me that
Certificate validation failure
Tried this:
sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca
link was created but didn't help. How to connect?
UPD:
This way I have extracted some certificates in different formats:
openssl pkcs12 -in store.pfx -clcerts -nokeys -out domain.cer openssl pkcs12 -in store.pfx -nocerts -nodes -out domain.key openssl pkcs12 -in store.pfx -out domain.crt -nodes -nokeys -cacerts openssl pkcs12 -in store.pfx -nocerts -out domain.pem -nodes
Got 4 files:
domain.cer domain.key domain.crt domain.pem
Placed all 4 of them in 3 different places:
~/.cisco/certificates/ca ~
Trusted CA and root certificates
~/.cisco/certificates/client
Client certificates
~/.cisco/certificates/client/private
Private keys
Same error.
UPD2: Tried to configure cisco anyconnect compatible with openconnect (which integrated to linux network center): It asks to set:
CA certificate (it has to be domain.crt, so chosen it) User certificate (that is it? - didnt choose) Private key (I think its domain.key, so chosen it)
But if tries to connect:
Certificate from VPN server [host ip] failed verification. Reason: certificate does not match hostname Do you want to accept it? Certificate from VPN server "194.176.96.4" failed verification. Reason: certificate does not match hostname Do you want to accept it? With below info: X.509 Certificate Information: Version: 3 Serial Number (hex): **** Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=GeoTrust RSA CA 2018 Validity: Not Before: ** Not After: ** Subject: C=RU,ST=[city],L=[city],O=[company name],OU=IT,CN=vpn.[companyname].ru Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) ....
I accept - and same error Certificate validation failure, full log:
POST https://[host_name]/ Attempting to connect to server [host_name]:443 SSL negotiation with [host_name] Server certificate verify failed: certificate does not match hostname Connected to HTTPS on [host_name] Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Sun, 26 Aug 2018 08:43:32 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) Server requested SSL client certificate; none was configured POST https://[host_name]/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Sun, 26 Aug 2018 08:43:32 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled
PS: On windows same steps worked, added cert by double clicking then launched cisco client, typed server, then he asked password to server I quess - and then I was connected.
-
Rocketq over 5 yearsI have extracted - same error. Such folder I had to create manually - is it ok? Because I'm sure that cisco actually look at that folders
-
Mahesh over 5 yearsYes, user is expected to create those folders. Installer will not create these.