Cisco AnyConnect, Certificate Auth, and Admin Prompts

Requiring certificate auth to your ASA for VPN?  Then this prompt in AnyConnect probably looks familiar and results in too many calls to the help desk.

Unless AnyConnect is aware of which certificate it needs, it's going to go gangbusters through your system keychain looking for it prompting for local administrative rights for every useable certificate.

There are 2 ways to handle this:

1) Preferred - Push out an AnyConnect profile from the ASA including certificate match.  AnyConnect documentation here, but the idea is that you AnyConnect will look for a unique attribute in your VPN certificate.

2) Stage an ~/.anyconnect file.  Here you can not only inform AnyConnect of the correct certificate to use, but you can also autofill the server address.

Scenario 1 - If you use a single certificate across all clients, configuration is straightforward.  

Import your certificate allowing trust settings for the AnyConnect application.  In addition you may want to modify the partition IDs to hide the "Allow/Deny" prompt.


Grab the SHA-1 hash of your certificate:

security find-certificate -c $CERTIFICATE_NAME -Z | grep SHA | awk '{print $3}'

take that value and create an XML file located at ~/.anyconnect


Scenario 2 - Your users may need to download a unique certificate