I have installed cisco anyconnect secure mobile client 4.2.01022 (+all required packages).
Then added .pfx
certificates to gnone2-key
storage.
Then I launched cisco anyconnect secure mobile client typed where to connect – but cisco keep saying me that Certificate validation failure
Tried this:
sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca
link was created but didn't help. How to connect?
UPD:
This way I have extracted some certificates in different formats:
openssl pkcs12 -in store.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in store.pfx -nocerts -nodes -out domain.key
openssl pkcs12 -in store.pfx -out domain.crt -nodes -nokeys -cacerts
openssl pkcs12 -in store.pfx -nocerts -out domain.pem -nodes
Got 4 files:
domain.cer
domain.key
domain.crt
domain.pem
Placed all 4 of them in 3 different places:
~/.cisco/certificates/ca ~
Trusted CA and root certificates
~/.cisco/certificates/client
Client certificates
~/.cisco/certificates/client/private
Private keys
Same error.
UPD2: Tried to configure cisco anyconnect compatible with openconnect (which integrated to linux network center):
It asks to set:
CA certificate (it has to be domain.crt, so chosen it)
User certificate (that is it? - didnt choose)
Private key (I think its domain.key, so chosen it)
But if tries to connect:
Certificate from VPN server [host ip] failed verification.
Reason: certificate does not match hostname
Do you want to accept it?
Certificate from VPN server "194.176.96.4" failed verification.
Reason: certificate does not match hostname
Do you want to accept it?
With below info:
X.509 Certificate Information:
Version: 3
Serial Number (hex): ****
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=GeoTrust RSA CA 2018
Validity:
Not Before: **
Not After: **
Subject: C=RU,ST=[city],L=[city],O=[company name],OU=IT,CN=vpn.[companyname].ru
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
....
I accept – and same error Certificate validation failure, full log:
POST https://[host_name]/
Attempting to connect to server [host_name]:443
SSL negotiation with [host_name]
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on [host_name]
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2018 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Server requested SSL client certificate; none was configured
POST https://[host_name]/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2018 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
PS: On windows same steps worked, added cert by double clicking then launched cisco client, typed server, then he asked password to server I quess – and then I was connected.
Best Answer
AnyConnect supports PEM format client certificates for authentication. Check administrator guide on how to configure client certificates for Linux platform. Copy the client certificate to the folder
~/.cisco/certificates/client
and the private key to~/.cisco/certificates/client/private
. Also -