2-7
Cisco AnyConnect VPN Client Administrator Guide
OL-12950-012
Chapter 2 Common AnyConnect VPN Client Installation and Configuration Procedures
Before You Install the AnyConnect Client
Step 9 Click OK to close the Certificate window.
Step 10 Click Yes to close the Security Alert window.
The security appliance window opens, sig
nifying the certificate is trusted.
In Response to a Netscape, Mozilla, or Firefox “Certified by an Unknown Authority” Window
The following procedure explains how to install a self-signed certificate as a trusted root certificate on
a client in response to a “Web Site Certified by an Unknown Authority” window. This window opens
when you establish a N
etscape, Mozilla, or Firefox connection to a security appliance that is not
recognized as a trusted site. This window shows the following text:
Unable to verify the identity of <Hostname_or_IP_address> as a trusted site.
Install the certificate as a trusted root certificate as follows:
Step 1 Click the Examine Certificate button in the “Web Site Certified by an Unknown Authority” window.
The Certificate Viewer window opens.
Step 2 Click the “Accept this certificate permanently” option.
Step 3 Click OK.
The security appliance window opens, sig
nifying the certificate is trusted.
Replacing a Digital Certificate with a Trusted Certificate
A trusted Certificate is the most secure option. You can replace the central-site security appliance digital
certificate with a trusted certificate by following the procedures in this section. By default, the security
appliance has a self-signed Certificate that is regenerated every time the device is rebooted. You can
purchase a Certificate from a CA provider like Verisign or Entrust with the name matching the
Fully-Qualified Domain Name (FQDN) of your central-site security appliance (for example,
vpn.yoursys.com), or you can have the security appliance issue a permanent Certificate for itself by
entering the following commands, replacing x.x.x.x with the IP of your security appliance outside or
public address:
crypto ca trustpoint self
enrollment self
subject-name CN=x.x.x.x,CN=vpn.yoursys.com
crl configure
crypto ca enroll self
ssl trust-point self outside
write
When users first connect using AnyConnect, they should click “View Certificate”, install this new
certificate, then click “Yes” to proceed. The next time they re-connect, they do not see the security alert
popup, even if the security appliance is rebooted.
To Next Page
Loading...
Need help?
General