none
Certificate Services and Cisco AnyConnect

    Question

  • We currently are using a standalone root CA on Windows 2003 to generate certificates that are used to connect to VPN using Cisco AnyConnect clients.

    I am trying to get a Windows 2008 R2 Server set up as a standalone root CA to replace it but can't get it to work.

    I installed the certificate services on the Windows 2008 R2 server the same way as the old server (not many options when it is standalone and running standard version of Windows 2008).

    I created, approved and installed certificate on a Windows 7 laptop but AnyConnect keep saying that there isn't a valid certificate to use for connections. Looking at the MMC, the certificate is valid and the new root ca is in the Trusted Root Authority.

    Also…compared certificate from old root ca and new root ca and the only difference I could see is that the new cert had a Basic Constraints extension that says Subject Type=End Entity, Path Length Constraint=None.

    I believe this is an issue with the certificate (or how the AnyConnect client sees it) and not the configuration of the Cisco VPN device I'm trying to connect to since the error message pops up immediately. (FYI...I added the root ca cert and identitity cert to the Cisco VPN device and created a new cert match rule, just in case).

    Has anyone got this to work with Windows 2008 R2?


    Heath

    Tuesday, July 16, 2013 3:50 PM

Answers