- Certificate validation failure while using cisco anyconnect with pfx certificates
- Procedure 1: repair the installation
- Procedure 2: allow vpn to freely communicate through firewall
- Procedure 3: check virtual adapter driver in device manger and update it
- Procedure 4: tweak registry and repair cisco vpn
- Procedure 5: update the anyconnect
- Procedure 6: create trustpoints for each certificate being installed
- Procedure 7: perform clean reinstallation
- Conclusion
Certificate validation failure while using cisco anyconnect with pfx certificates
I have installed cisco anyconnect secure mobile client 4.2.01022 ( all required packages).
Then added .pfx certificates to gnone2-key storage.
Then I launched cisco anyconnect secure mobile client typed where to connect – but cisco keep saying me that Certificate validation failure
Tried this:
sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca
link was created but didn’t help. How to connect?
UPD:
This way I have extracted some certificates in different formats:
openssl pkcs12 -in store.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in store.pfx -nocerts -nodes -out domain.key
openssl pkcs12 -in store.pfx -out domain.crt -nodes -nokeys -cacerts
openssl pkcs12 -in store.pfx -nocerts -out domain.pem -nodes
Got 4 files:
domain.cer
domain.key
domain.crt
domain.pem
Placed all 4 of them in 3 different places:
~/.cisco/certificates/ca ~
Trusted CA and root certificates
~/.cisco/certificates/client
Client certificates
~/.cisco/certificates/client/private
Private keys
Same error.
UPD2: Tried to configure cisco anyconnect compatible with openconnect (which integrated to linux network center):
It asks to set:
CA certificate (it has to be domain.crt, so chosen it)
User certificate (that is it? - didnt choose)
Private key (I think its domain.key, so chosen it)
But if tries to connect:
Certificate from VPN server [host ip] failed verification.
Reason: certificate does not match hostname
Do you want to accept it?
Certificate from VPN server "194.176.96.4" failed verification.
Reason: certificate does not match hostname
Do you want to accept it?
With below info:
X.509 Certificate Information:
Version: 3
Serial Number (hex): ****
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=GeoTrust RSA CA 2021
Validity:
Not Before: **
Not After: **
Subject: C=RU,ST=[city],L=[city],O=[company name],OU=IT,CN=vpn.[companyname].ru
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
....
I accept – and same error Certificate validation failure, full log:
POST https://[host_name]/
Attempting to connect to server [host_name]:443
SSL negotiation with [host_name]
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on [host_name]
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2021 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Server requested SSL client certificate; none was configured
POST https://[host_name]/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2021 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
PS: On windows same steps worked, added cert by double clicking then launched cisco client, typed server, then he asked password to server I quess – and then I was connected.
Procedure 1: repair the installation
Step 1: Click on “Start” button and type “Control Panel” in Windows search and open “Control Panel”
Step 2: In the opened “Control Panel”, choose “Uninstall a program” and find “Cisco AnyConnect VPN” client and choose “Repair”
Step 3: Follow On-Screen instructions to finish the repairing process. Once done, restart your computer and please check if the problem is resolved.
Procedure 2: allow vpn to freely communicate through firewall
Step 1: Click on “Start” button and type “Allow an App” in Windows Search and open “Allow an App through Windows Firewall”
Step 2: Now, click on “Change Settings”
Step 3: Make sure that “Cisco VPN” is on the list and it’s allowed to communicate through Windows Firewall. If not, click “Allow another App” and add it
Procedure 3: check virtual adapter driver in device manger and update it
Step 1: Press “Windows X” key from keyboard and select “Device Manager”
Step 2: In the opened “Device Manager” window, locate and expand “Network Adapters”
Step 3: Right-click on Virtual Adapter and select “Update driver software”
Step 4: Follow On-Screen instructions to finish the updating process.
Step 5: Once done, restart your computer and please check if the problem is resolved.
Procedure 4: tweak registry and repair cisco vpn
Step 1: Press “Windows R” keys together from keyboard and type “regedit” in “Run Dialog Box” and then hit “Ok” button
Step 2: In the opened “Registry Editor” window, navigate to “HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtA”
Step 3: Right-click on the “DisplayName” registry entry and choose “Modify”
Step 4: Under “Value Data” section, make sure that the only body of text which stands is Cisco System VPN Adapter
Step 5: Save the changes and try running Cisco AnyConnect VPN again.
Procedure 5: update the anyconnect
Step 1: Go to “ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software”
Step 2: You can either replace the existing the image or add a new one.
Step 3: After that, connect to the ASA. The client will be updated automatically.
Procedure 6: create trustpoints for each certificate being installed
Step 1: Open the “Cisco ASDM”
Step 2: Under “Remote Access VPN” window pane, click on “Configuration” tab and expand “Certificate Management” and click on “CA Certificates”
Step 3: Click on “Add” button
Step 4: Assign a “TrustPoint Name” to the certificate like “DigiCertCA2” and select “Install from the file” Radio button and browse to “DigiCertCA2.crt”, then click on “Install Certificate”. Repeat this process of adding new trustpoint and installing certificate file for “DigiCertCA.crt”
Step 5: Under “Remote Access VPN”, expand “Certificate Management” to “Identify Certificates”. Select the identity you created for the CSR with “Expiry Data” and click on “Install > Install Certificate”
Step 6: The Certificate now needs to be enabled. To do so, click on “Advanced > SSL Settings > Edit > Primary Enrolled Certificate” and select your certificate and then click on “Ok”
Step 7: ASDM will then show your Certificate details under trustpoint
Procedure 7: perform clean reinstallation
Step 1: Navigate to “Control Panel” and choose “Uninstall a program”
Step 2: Uninstall “Cisco AnyConnect VPN Client”
Step 3: Navigate to System partition and delete everything Cisco-related from programs folder
Step 4: Once uninstalled completely, restart your computer
Step 5: After that, download latest version of “Cisco AnyConnect” from “Cisco official website”
Step 6: Double-click on installer file and follow on-screen instructions to finish the installation.
Step 7: Once installed, restart your computer again and please check if the AnyConnect Certificate error is resolved.
Conclusion
Cisco AnyConnect is VPN service that offers Standard VPN encryption and protection. When we talk about AnyConnect Secure Mobility Client, it is modular endpoint software product. It not only provides Virtual Private Network (VPN) access through Secure Sockets layer (SSL)
I am sure this article helped you to “Fix Cisco AnyConnect Certificate Validation Failure Windows 10” with several easy methods/procedures. You can choose/follow either one or all procedures to fix this issue.
If you are unable to fix Cisco AnyConnect Certificate Validation Failure problem with the solutions mentioned above, then it might possible that your System has infected with malware or viruses. According to security researchers, malware or viruses cause several damages in your computer.
In this case, you can scan your computer with powerful antivirus software that has the ability to delete all types of malware or viruses from System.
