Install custom hostname certificate for AnyConnect on the MX

Solved
AftabK
New here

Install custom hostname certificate for AnyConnect on the MX

Hi, 

 

Has anyone been able to successfully install a custom hostname signed certificate on the MX? I am getting a "Failed verifying Device Cert with the Cert Chain" error message. I do have an open case with support already but wanted to reach out to the community as well. 

 

The last reply I received from support was to make sure that the certificate is PEM encoded. In the CA reply, I did receive the signed certificate with a .pem extension along with the intermediate/root certificate bundle with a .pem extension. I attempted to upload them but still received the cert chain error. 

 

I also converted the .pem to a .cer format using openssl but still received the cert chain error.

 

openssl x509 -inform PEM -in cacert.pem -outform DER -out certificate.cer

 

Could you please help me resolve the cert chain error?
 
Thank you in advance.

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki *gives* you a public certificate for free.  All you have to do is connect to the DDNS name that your MX says it is using, and you'll get zero AnyConnect warnings.

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

I don't bother with custom DNS domains anymore.  It's not worth the grief.

 

Create a custom AnyConnect profile instead.  Users never need to see or type the DNS name then.  Now you don't care what the DNS name is.

https://www.ifm.net.nz/cookbooks/online-anyconnect-profile-editor.html 

AftabK
New here

Thank you for the response.

 

The issue is the AnyConnect client VPN is using an auto-generated cert currently. This throw a "Security Warning: Untrusted Server Certificate" warning when users connect thru the VPN. I'm trying to remove this message by installing a public CA signed certificate. 

 

I will be deploying a profile as well but wanted to resolve the cert warning issue first. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Meraki *gives* you a public certificate for free.  All you have to do is connect to the DDNS name that your MX says it is using, and you'll get zero AnyConnect warnings.

AftabK
New here

I wasn't aware of that option. That's great.

 

The MX is using DDNS. The public domain name is companyname-sitename right now. Do I just change it to vpn.companyname.com if that's what I want to use or should I keep it as is and create a AnyConnect profile with the current domain name? The current domain is companyname-sitename-somechars.dynamic-m.com. 

 

Thank you so much!

AftabK
New here

Thank you so much, PhilipDAth!

 

I was able to resolve the cert warning message for VPN using a profile with the dynamic host names of the MX. 

 

https://documentation.meraki.com/MX/Other_Topics/Dynamic_DNS_(DDNS)

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance/Client_deployment 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels