AnyConnect certificate warning can be removed either by importing the subordinate CA key to the clients or by using a self-signed certificate on every client with the appropriate Common name and FQDN.
Below are the steps to create a self-signed certificate using OpenSSL.
- Generate a 4096 bit long RSA key for the root CA and store it in ca.key file, using this command in cmd :
openssl genrsa -out ca.key 4096
- Use the following command to create the self signed root CA certificate :
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
Fill in the fields regarding the identity of the system as required.
- Generate a key for the subordinate CA which will be used to sign the root certificate using the command:
openssl genrsa -out ia.key 4096
- Create the subordinate CA certificate using the following command
openssl req -new -key ia.key -out ia.csr
Again, fill in the fields as directed.
- Process the request for the subordinate CA certificate and get it signed by the root CA using the following command :
openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt
The root CA certificate has a five-year validity whereas the subordinate CA has a two-year validity period.
Exporting the self signed certificate :
The self signed certificates can be pushed into the clients through VPN. Ensure that the VPN profile pushes down the FQDN to clients upon connect.
Alternatively, if you are not using the public DNS service, modify the local hosts file on the clients to include the FQDN to IP address of the ASA.
Meta-D: AnyConnect certificate warning can be removed by using a self-signed certificate on every client with the appropriate Common name and FQDN.Follow these steps.
