Meraki

Community

Anyconnect MX - Custom hostname certificates - non MX generated CSR (privatekey) ?

thomasthomsen
Kind of a big deal
‎Sep 16 2024 12:24 PM
‎Sep 16 2024 12:24 PM

Anyconnect MX - Custom hostname certificates - non MX generated CSR (privatekey) ?

So , Im trying to find out, do the MX support custom certificate where the MX did not do the CSR/Private key ?

 

I mean, I could just upload my certificate with the private key included in fx. PEM, no worries, but does it support it ?
I think the answer is no, because when I try, i get the error : "Unknown Error Failed Device Cert does not match private key" (even when I have not created a CSR yet directly on the MX).
But documentation is unclear. Documentation states : "Administrators can generate a CSR, that can be signed by a public CA." - Key-word here "can" , not "must".

 

*sigh*

Thomas

0 Kudos
6 Replies 6
thomasthomsen
Kind of a big deal
‎Sep 16 2024 12:48 PM
‎Sep 16 2024 12:48 PM

Perhaps it does not support 3rd party CSR, but at least I got it so far now that I get another error message : Unknown Error Failed verifying Device Cert with Cert Chain

So I guess I just need to create the right CA chain for it to work ?

0 Kudos
In response to thomasthomsen
IvanJukic
Meraki Employee
Meraki Employee
‎Sep 16 2024 6:01 PM
‎Sep 16 2024 6:01 PM

Hi @thomasthomsen ,


Correct. The Chain of Trust is a must.  😉 

See the below excerpt from the AnyConnect Authentication Methods guide.

 

"AnyConnect server will use the uploaded trusted CA certificate to validate authenticating clients before requesting for the users' credentials.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/Authentication#Certifi...

 

 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to IvanJukic
thomasthomsen
Kind of a big deal
‎Sep 16 2024 11:08 PM
‎Sep 16 2024 11:08 PM

But that does not really give an answer to my original question, and why , as mentioned below, it would, apparently, never work because I did my CSR "offline" so to speak. 

Or let me re-phrase, why would it complain about certchain, when i try to import the signed cert (with the private key) from my "offline" CSR, if it does not even support this ?

0 Kudos
In response to thomasthomsen
thomasthomsen
Kind of a big deal
‎Sep 16 2024 11:22 PM
‎Sep 16 2024 11:22 PM

PS: And this is not for "certificate based authentication" as the document you are pointing to, but "Server certificates" on the MX itself, for the initial connection : https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Server_Certificates

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 16 2024 3:37 PM
‎Sep 16 2024 3:37 PM

>do the MX support custom certificate where the MX did not do the CSR/Private key ?

 

No.

0 Kudos
In response to PhilipDAth
thomasthomsen
Kind of a big deal
‎Sep 16 2024 11:20 PM
‎Sep 16 2024 11:20 PM

So we agree that the documentation is "unclear" here then ? 🙂

(Especially if you ONLY have the new Anyconnect look and feel, where it does not even say 1. 2. 3.  --- and you dont have to do 1, in order to just start uploading certs at 3).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.