Skip to main content



Cisco Defense Orchestrator

Remote Access VPN Certificate-Based Authentication

The remote access VPN uses digital certificates for authenticating secure gateways and AnyConnect clients (endpoints) in the following scenarios: 

Important: CDO handles the installation of digital certificates on the VPN headends (ASA or FTD). It does not handle the installation of certificates on the AnyConnect client device. The administrator of your organization must handle it.  

  • Identify and authenticate the VPN headend device (ASA or FTD): 

VPN headends require an identity certificate to identify and authenticate themselves when the AnyConnect client requests a VPN connection. Using CDO, you must install the identity certificate on the device. See Installing an Identity Certificate Using PKCS12 or Certificate And Key. It is not mandatory to install the issuer's CA certificate on the AnyConnect client.

While creating the Remote Access VPN configuration from CDO, assign the enrolled identity certificate to the outside interface of the device and download the configuration to the device. The identity certificate becomes fully operational on the outside interface of the device. 

When the AnyConnect client attempts to connect to VPN, the device authenticates itself by presenting its identity certificate to the AnyConnect client. The AnyConnect client verifies this identity certificate with its trusted CA certificate and trusts the certificate and thereby the device. If the CA certificate isn’t installed on the AnyConnect client, the user must manually trust the device when prompted.

  • Identify and authenticate the AnyConnect client:

Note: This applies when you use "Client Certificate Only" or "AAA and Client Certificate" as the authentication method in the connection profile of RA VPN configuration. It does not apply for "AAA Only".  

Once the device is trusted, the AnyConnect client needs to authenticate itself to complete the VPN connection. You must install an identity certificate on the AnyConnect client and using CDO, install a trusted CA certificate on the device. These certificates must be issued from the same certificate authority. See Installing Trusted CA Certificate in ASA.

The AnyConnect client presents its identity certificate and the device verifies this certificate with its trusted CA certificate and establishes the VPN connection. 

  • Was this article helpful?