How to properly install certificate issued to me?

ssl certificate cisco-vpn-client firefox vpn
25,842

The apparently misleading error The AnyConnect package on the secure gateway could not be located... means AnyConnect does in fact use the certificate, which you wanted it to use.

If your goal is to have the VPN connection work as expected, this is not a problem with proper installation of your certificate for AnyConnect to use.

How to make the VPN connection actually work in this case is below the answer to your initial question.

The answer to your question:

AnyConnect checks various locations for certificate files, including those used by web browsers.

What complicates the issue is that there are different types of certificate files to check for, and all should go into directories dedicated for their kind for AnyConnect to see them.

To manually install the certificate in a location where AnyConnect expects it to find

in your case do this:

openssl pkcs12 -in source.pfx -out exported.pem -nokeys
openssl pkcs12 -in source.pfx -out exported.key -nocerts

Use the same name beginning for .pem and .key files.

It will ask you for the .pfx file pass to get both the .pem and .key files.

It will ask you to set up a pass for the .key file. There should be a pass repeat prompt and no errors. AnyConnect will ask for this pass after pressing connect button, but before showing login/pass fields for connection authentication.

Either in your user home directory or /opt create these dirs:

.cisco/certificates/client
.cisco/certificates/client/private

You have to create these manually. AnyConnect's installer creates only the /opt/.cisco/certificates/ca directory.

Put the .pem file in the first directory created manually, and the .key file in the second one.

Now AnyConnect should be able to use these as expected, provided all directories and files have correct access rights.

These dirs are mentioned somewhere in Cisco's documentation (Create a PEM Certificate Store for Mac and Linux).

Don't be surprised to see the same error The AnyConnect package on the secure gateway could not be located.... Read below.

How to make the VPN connection actually work the way you want it to:

In my case only using OpenConnect with the same keyfiles worked so far:

Create .pem and .key files as described above,

do steps 4th and 5th from this site

which are:

apt-get install network-manager-openconnect-gnome

open Netwok Connections, go to VPN tab, click new

select Cisco AnyConnect Compatible VPN (openconnect)

Gateway: [vpn.yourcompany.com]

User Certificate: [select your exported.pem]

Private key: [select your exported.key]

and now try connecting

(through network connection applet visible next to clock on screen should work just fine)

it worked for me on xubuntu 14.04

Why does AnyConnnect not work but OpenConnect does?

from /var/log/syslog I found that AnyConnect tries to download something from the server on the other side but gets 404 error several times and thus fails:

(...) acvpnui (...) Description: CTRANSPORT_ERROR_HTTP_RETURNED_ERROR:The HTTP server returned an error code (>= 400) HTTP status code received 404

This error message means that AnyConnect tries to get something from the server on the other side, after having successfully authenticated, and disconnects because the file (apparently necessary for it to work) is not available.

It looks like OpenConnect does not need this file.

Share:
25,842

Related videos on Youtube

Andrius
Author by

Andrius

Updated on September 18, 2022

Comments

  • Andrius
    Andrius over 1 year

    I tried various ways to install certificate, but it seems it either not being seen by linux or something else is wrong.

    I got .pfx to be able to connect to another server via vpn (need to use Cisco AnyConnect). I tried converting it to .pem, then adding that file into /usr/share/ca-certs (with both creating new directory inside there or just puting it directly), then running `update-ca-certificates. I always get this response:

    Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....

    Then trying to connect using Cisco AnyConnect, would give me this error: 'Certificate validation error

    The only way I managed to import certificate, was via firefox. I imported it in Your Certificates.

    Then again trying to connect using Cisco AnyConnect, it would give me this error:

    The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.

    Then I Opened imported certificate in Firefox and saw this message:

    could not verify this certificate because the issuer is not trusted.

    So going in Authorities I found the one that issued me this certificate and edited to be trusted ticking all options. Now it shows that it was verified for ssl client certificate, email signer certificate, SSL Certificate Authority, Status Responder Certificate.

    But still, trying to connect using cisco anyconnect, gives me that error for not locating secure gateway.

    I don't have any ideas what else could I do to solve this problem.

    I also written another related question here. That one is more about properly configuring vpn and this one about properly installing certificate.

    Link to related question: https://askubuntu.com/questions/484096/setting-up-vpn-connection-with-cisco-anyconnect-the-anyconnect-package-on-the

    P.S. I'm using Ubuntu 14.04

    • jww
      jww almost 10 years
      What is the certificate for, and where are you trying to install it? AnyConnect certificates are usually used for TLS and VPN client-side authentication. So they don't usually get put in cacerts. You should also have a private key in the PFX file. The PFX file or private key should be put in a Keychain or KeyStore.
  • Andrius
    Andrius almost 10 years
    Thanks for the answer. Forgot to write this as solved. The problem was with older AnyConnect package than it needed (or at least that's what guy responsible for that server told me). Later he said he updated software and I could connect successfully both with AnyConnect and OpenConnect.
  • Johnson Steward
    Johnson Steward almost 8 years
    That file is Cisco Secure Desktop Trojan (Google it)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Firefox: certificate is not trusted because the issuer certificate is unknown
Why is Firefox not trusting my self-signed certificate?
Why Firefox alert me about HTTPs "Untrusted" Connection on Positivessl - Comodo certificate?
When using Kaspersky Anti-Virus Personal Root Certificate, can you view the website's certificate?
Is there a way to extract a "private certificate key" from Chrome and import it into Firefox?
Certificate validation failure while using cisco anyconnect with pfx certificates
Openconnect certificate validation with NetworkManager
Firefox doesn't ask me for a certificate when visiting a site that needs one
Firefox: This connection is untrusted + Behind corporate firewall
The certificate is not trusted because no issuer chain was provided