Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Install custom hostname certificate for AnyConnect on the MX

Solved
AftabK
New here
‎Mar 23 2022 2:58 PM
‎Mar 23 2022 2:58 PM

Install custom hostname certificate for AnyConnect on the MX

Hi, 

 

Has anyone been able to successfully install a custom hostname signed certificate on the MX? I am getting a "Failed verifying Device Cert with the Cert Chain" error message. I do have an open case with support already but wanted to reach out to the community as well. 

 

The last reply I received from support was to make sure that the certificate is PEM encoded. In the CA reply, I did receive the signed certificate with a .pem extension along with the intermediate/root certificate bundle with a .pem extension. I attempted to upload them but still received the cert chain error. 

 

I also converted the .pem to a .cer format using openssl but still received the cert chain error.

 

openssl x509 -inform PEM -in cacert.pem -outform DER -out certificate.cer

 

Could you please help me resolve the cert chain error?
 
Thank you in advance.

 

 

0 Kudos
Subscribe
1 Accepted Solution
In response to AftabK
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 23 2022 11:53 PM
‎Mar 23 2022 11:53 PM

Meraki *gives* you a public certificate for free.  All you have to do is connect to the DDNS name that your MX says it is using, and you'll get zero AnyConnect warnings.

View solution in original post

Subscribe
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 23 2022 7:12 PM
‎Mar 23 2022 7:12 PM

I don't know the answer.

 

I don't bother with custom DNS domains anymore.  It's not worth the grief.

 

Create a custom AnyConnect profile instead.  Users never need to see or type the DNS name then.  Now you don't care what the DNS name is.

https://www.ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html 

0 Kudos
Subscribe
In response to PhilipDAth
AftabK
New here
‎Mar 23 2022 7:21 PM
‎Mar 23 2022 7:21 PM

Thank you for the response.

 

The issue is the AnyConnect client VPN is using an auto-generated cert currently. This throw a "Security Warning: Untrusted Server Certificate" warning when users connect thru the VPN. I'm trying to remove this message by installing a public CA signed certificate. 

 

I will be deploying a profile as well but wanted to resolve the cert warning issue first. 

0 Kudos
Subscribe
In response to AftabK
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 23 2022 11:53 PM
‎Mar 23 2022 11:53 PM

Meraki *gives* you a public certificate for free.  All you have to do is connect to the DDNS name that your MX says it is using, and you'll get zero AnyConnect warnings.

Subscribe
In response to PhilipDAth
AftabK
New here
‎Mar 24 2022 6:29 AM
‎Mar 24 2022 6:29 AM

I wasn't aware of that option. That's great.

 

The MX is using DDNS. The public domain name is companyname-sitename right now. Do I just change it to vpn.companyname.com if that's what I want to use or should I keep it as is and create a AnyConnect profile with the current domain name? The current domain is companyname-sitename-somechars.dynamic-m.com. 

 

Thank you so much!

0 Kudos
Subscribe
In response to PhilipDAth
AftabK
New here
‎Mar 24 2022 8:07 AM
‎Mar 24 2022 8:07 AM

Thank you so much, PhilipDAth!

 

I was able to resolve the cert warning message for VPN using a profile with the dynamic host names of the MX. 

 

https://documentation.meraki.com/MX/Other_Topics/Dynamic_DNS_(DDNS)

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Client_deployment 

 

 

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.