使用带有 pfx 证书的 cisco anyconnect 时证书验证失败

使用带有 pfx 证书的 cisco anyconnect 时证书验证失败

我已经安装了 cisco anyconnect secure mobile client 4.2.01022(+所有必需的软件包)。

然后将.pfx证书添加到gnone2-key存储中。

然后我启动了 cisco anyconnect 安全移动客户端,输入了连接位置 - 但 cisco 一直告诉我Certificate validation failure

尝试过这个:

sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca

链接已创建但无济于事。如何连接?

更新:

这样,我提取了一些不同格式的证书:

openssl pkcs12 -in store.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in store.pfx -nocerts -nodes  -out domain.key
openssl pkcs12 -in store.pfx -out domain.crt -nodes -nokeys -cacerts
openssl pkcs12 -in  store.pfx  -nocerts -out domain.pem -nodes

有 4 个文件:

domain.cer
domain.key
domain.crt
domain.pem

将其全部 4 个放置在 3 个不同位置:

~/.cisco/certificates/ca ~

受信任的 CA 和根证书

~/.cisco/certificates/client

客户端证书

~/.cisco/certificates/client/private

私钥

同样的错误。

UPD2:尝试配置与 openconnect 兼容的 cisco anyconnect(集成到 linux 网络中心):它要求设置:

CA certificate (it has to be domain.crt, so chosen it)
User certificate  (that is it? - didnt choose)
Private key  (I think its domain.key, so chosen it)

但如果尝试连接:

Certificate from VPN server [host ip] failed verification.
Reason: certificate does not match hostname
Do you want to accept it?

    Certificate from VPN server "194.176.96.4" failed verification.
    Reason: certificate does not match hostname
    Do you want to accept it?

With below info:
X.509 Certificate Information:
    Version: 3
    Serial Number (hex): ****
    Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=GeoTrust RSA CA 2018
    Validity:
       Not Before: **
        Not After: **
    Subject: C=RU,ST=[city],L=[city],O=[company name],OU=IT,CN=vpn.[companyname].ru
    Subject Public Key Algorithm: RSA
    Algorithm Security Level: Medium (2048 bits)
....

我接受 - 并且出现同样的错误证书验证失败,完整日志:

POST https://[host_name]/
Attempting to connect to server [host_name]:443
SSL negotiation with [host_name]
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on [host_name]
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2018 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Server requested SSL client certificate; none was configured
POST https://[host_name]/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2018 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled

PS:在 Windows 上,同样的步骤有效,双击添加证书,然后启动思科客户端,输入服务器,然后他要求输入服务器密码(我猜是的)-然后我就连接上了。

答案1

AnyConnect 支持 PEM 格式的客户端证书进行身份验证。检查管理员指南有关如何为 Linux 平台配置客户端证书的信息。将客户端证书复制到文件夹~/.cisco/certificates/client,将私钥复制到~/.cisco/certificates/client/private。此外 -

  • 所有证书文件必须以扩展名 .pem 结尾。
  • 所有私钥文件必须以扩展名 .key 结尾。
  • 客户端证书和其对应的私钥必须具有相同的文件名。例如:client.pem 和 client.key。

答案2

您可以使用 openconnect:

  • 安装:

sudo apt-get install network-manager-openconnect-gnome

  • 将证书转换.pfx.pem

openssl pkcs12 -in file.pfx -out file.pem -nodes

  • 在您的 GNOME / KDE 中打开Settings>Network菜单。在标准 VPN 设置中,您应该会看到Cisco AnyConnect Compatible VPN以下项目: 网络菜单

答案3

我遇到了类似的问题,但我不确定我是否在使用 AnyConnect 的移动版本。我的操作系统是 Fedora 29。我尝试连接的 VPN 使用浏览器信任的证书,但不是与我安装的 Anyconnect 版本捆绑的证书。

该软件包ca-certificates已经安装在我的操作系统上,并附带必要的证书,因此我将其符号链接/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem/opt/.cisco/certificates/ca

相关内容