Adding custom certificate to Anyconnect on MX?

JonathanNTG
Comes here often

Adding custom certificate to Anyconnect on MX?

HI,

 

So i have configured Anyconnect on our MX250 and have been in contact with Meraki support who have enabled the custom certificate option for me.

However, i am not exactly sure how i can import them. They specify ".cer" file for the certificate and the CA. But the support wrote to me that i should import the certificate as p12, but nothing about the CA?.

 

I already have an existing wildcard certificate that i would like to use, so i assume i do not need to create a CSR in the meraki dashboard, as a CSR is already made when the certificate was purchased, right?

Exporting all the cert files from my cert provider i get 6 different files (3 of which are the certificate in various formats)

The key:
STAR.domain.key

The certificate:
Just cert: STAR.domain.com.crt
Bundle: STAR.domain.com.bundle.pem
PKCS#12/PFX: STAR.domain.com.pfx

 

CA:

STAR.domain.com.ca.pem


So my question is, what 2 files do i import? I tried various combinations, but each time i get some wacky html code error that is meaningless. I also tried converting the pfx or p12, but without any luck.

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

You can use an online tool like:

https://www.sslshopper.com/ssl-converter.html

To convert your p12 to a pem format (pem format is the same as cer).

 

This is a text file.  You can open up your CA file in notepad and then copy everything in it, then open up your converted certificate file in notepad and paste everything into the top.

 

Now you should have a file with a chain - the CA certificate at the top and your certificate at the bottom.

 

You should be able to upload this into the Meraki portal.  If it is unhappy about the extension, rename it to be .cer.

Hi Philip,

Thank you for you answer. However i do not think it solves my problem. I need 2 seperate .cer files. One should be the "Device certificate" the other the "Chain Certificate"

Basically all Cisco support could provide me with was that they are unsure and that i should try this: https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance#Server_Certificates


But here i am asked to generate a CSR and purchase a new SSL basically. I wish to use my existing wildcard certificate for which i have already paid.

From my CA i am able to extract my SSL in the following formats:

Certificate in .CRT,PKCS#12/PFX, or PEM bundle.

CA Chain in .PEM

Private key in .KEY

I realize that i can convert these. But no matter what conversion i do, there is not luck.

I tried converting the certificate in CRT to CER using Windows, for the CA i transformed it to .DER, then opened it in Windows and exported as .CER so both certs were in .CER. However, i am now told that they do not much....



I am beginning to think there is no way of using my existing certificate and that i must purchase a new one.

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

>But here i am asked to generate a CSR and purchase a new SSL basically. I wish to use my existing wildcard certificate for which i have already paid.

 

I missed this important bit.  You can not do this.  Meraki does not allow the transportation of private keys across their network.  Your existing wildcard certificate has a private key, so can't be used.

 

You must generate a CSR from the dashboard and get a certificate issued on that.

 

You are spot-on for the other bits though - you need to upload the device certificate and the CA certificate chain separately.

Miyo360
Getting noticed

Just chiming in with my experience here. I too needed to use a custom certificate with Anyconnect, instead of the Meraki provided cert. I bought a Comodo PositiveSSL certificate from SSL2Buy. When the certificate was issued, I received a zip containing 4 files.

<mydomain.com>.crt << this is my certificate

AAACertificateServices.crt

SectigoRSADomainValidationSecureServerCA.crt

USERTrustRSAAAACA.crt

 

The latter 3 are root CA or intermediate CA certs. When configuring the custom cert in the Meraki dashboard, you are prompted to upload (1) your certificate and (2) the CA chained bundle. My cert if obvious, but I didn't know which of the others are the bungle, so I tried each of these 3 and it failed.

 

After chatting with SSL2Buy's support, they suggested I would need to create this bundle myself by copying/pasting the 3 other certificates into a new crt file in this specific order, one directly on top of the other.

 

1. USERTrustRSAAAACA.crt

2. SectigoRSADomainValidationSecureServerCA.crt

3. AAACertificateServices.crt

 

This bundle crt was then uploaded and accepted by the dashboard. I hope this helps others in a similar situation.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels