Certificates are used
to digitally identify each end of the VPN connection: The secure gateway, or
the server, and the AnyConnect client, or the user. A server certificate
identifies the secure gateway to AnyConnect, and a user certificate identifies
the AnyConnect user to the secure gateway. Certificates are obtained from and
verified by Certificate Authorities (CAs).
When establishing a
connection, AnyConnect always expects a server certificate from the secure
gateway. The secure gateway only expects a certificate from AnyConnect if it
has been configured to do so. Expecting the AnyConnect user to manually enter
credentials is another way to authenticate a VPN connection. In fact, the
secure gateway can be configured to authenticate AnyConnect users with a
digital certificate, with manually entered credentials, or with both.
Certificate only authentication allows VPNs to connect without user
Distribution and use
of certificates to the secure gateway and to your device is directed by your
administrator. Follow directions provided by your administrator to import, use,
and manage server and user certificates for AnyConnect VPNs. Information and
procedures in this document related to certificates and certificate management
are provided for your understanding and reference.
both user and server certificates for authentication in its own certificate
store. The AnyConnect certificate store is managed from the
> Certificates screen.
order to authenticate to the secure gateway using a digital certificate, a user
certificate must be imported and configured for VPN use.
are imported using one of the following methods, as directed by your
Once imported, the certificate can be associated with a particular connection entry or selected automatically during connection establishment to authenticate.
certificate received from the secure gateway during connection establishment
automatically authenticates that server to AnyConnect, if and only if it is
valid and trusted. Otherwise:
A valid, but untrusted server certificate is reviewed, authorized, and imported to the AnyConnect certificate store. Once a server certificate is imported into the AnyConnect store, subsequent connections made to the server using this digital certificate are automatically accepted.
An invalid certificate cannot be imported into the AnyConnect store. It can only be accepted to complete the current connection. This is not recommended.
in the AnyConnect store can be deleted if they are no longer needed for