Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
CRL is Not Supported for Server Certificate Verification
Many sites position the Certificate Authority they use to validate server certificates inside the corporate network. That means that a
client cannot verify CRL when it is trying to connect to a headend, since the CRL is not accessible on the public network. The client
operating system can be configured to verify CRL in Windows and Mac OS X, but we ignore that setting.
client cannot verify CRL when it is trying to connect to a headend, since the CRL is not accessible on the public network. The client
operating system can be configured to verify CRL in Windows and Mac OS X, but we ignore that setting.
Firefox Certificate Store on Mac OS X is Not Supported
The Firefox certificate store on Mac OS X is stored with permissions that allow any user to alter the contents of the store, which
allows unauthorized users or processes to add an illegitimate CA into the trusted root store. Anyconnect no longer utilizes the Firefox
store for either server validation or client certificates.
allows unauthorized users or processes to add an illegitimate CA into the trusted root store. Anyconnect no longer utilizes the Firefox
store for either server validation or client certificates.
If necessary, instruct your users how to export your AnyConnect certificates from their Firefox certificate stores, and how to import
them into the Mac OS X keychain. The following steps are an example of what you may want to tell your AnyConnect users.
them into the Mac OS X keychain. The following steps are an example of what you may want to tell your AnyConnect users.
1
Navigate to Firefox > Preferences > Advanced, Certificates tab, click View Certificates.
2
Select the Certificate used for AnyConnect, and click Export.
Your AnyConnect Certificate(s) will most likely be located under the Authorities category. Verify with your Certificate
Administrator, as they may be located under a different category (Your Certificates or Servers).
Administrator, as they may be located under a different category (Your Certificates or Servers).
3
Select a location to save the Certificate(s), for example, a folder on your desktop.
4
In the Format pull down menu, select X.509 Certificate (DER). Add the .der extension to the certificate name, if required.
If more than one AnyConnect Certificate and/or a Private Key is used/required, repeat the above process
for each Certificate).
for each Certificate).
Note
5
Launch KeyChain. Navigate to File, Import Items…, and select the Certificate that you exported from Firefox.
In the Destination Keychain:, select the desired Keychain. The login Keychain that is used for this example may not be the one
used at your company. Ask your Certificate Administrator to which Keychain your certificate(s) should be imported.
used at your company. Ask your Certificate Administrator to which Keychain your certificate(s) should be imported.
16