How to Renew Cisco AnyConnect VPN Certificate

Corporate VPNs function a lot differently from your average individual ones. While individual VPNs cater to a single user at a time, the other ones need to oversee the whole network infrastructure. They are primarily a network management tool with added security features to facilitate remote working. Also, individual VPNs are more of a web service than an exclusive network. As such, corporate VPNs rely on authentication more than individual ones and use multiple methods to do so. One procedure that stands out is arguably the VPN certificate that automatically authenticates a VPN connection. Hence, when a certificate expires, it requires renewal. Thus, our article focuses on how to renew the Cisco AnyConnect VPN certificate.

Note — Want to know more about the VPN in question? Kindly, give our Cisco AnyConnect VPN review a read. You can also learn how to use Cisco AnyConnect if you’re unfamiliar.

General steps to renew a Cisco VPN certificate

Before we begin with a specialized procedure to renew Cisco, we will examine the generic approach toward certificate renewals.

Note — Those who are having trouble with Cisco authentication and want to solve it can do so by reading our article on resetting the Cisco AnyConnect VPN password.

Certificate generation or creation

We start with generating a certificate for the VPN. Since Cisco is an SSL VPN, we need to render certificates for the same. We should understand that this procedure starts with a Certificate Signing Request (CSR). Hence, before renewal, it is imperative that we create a certificate for Cisco.

1. At this point, you need to generate a CSR before selecting your SSL certificate.
2. Now, choose the validity of the certificate. Usually, it should be 1 or 2 years for an SSL certificate.
3. Review all your settings before proceeding to fill out all the relevant details.
4. Then, proceed to payments.
5. Deploy the certificate on the server.

Renew an already/soon to be expired certificate

Since SSL certificates get generated with expiry in mind, we need to prepare for renewals from the get-go. To renew such certificates:

1. Open the Certificate Manager on your device.
2. Then, select the already expired or soon to be expiring certificate.
3. Now click on the Renew Now button to proceed with renewals.
4. Pay the amount and enjoy the extended service.

Although we make it simple, this is not the case for self-signed certificates. The above-mentioned procedure works only with a third-party CA (certificate authority) that offers its services for use. If you want to manage VPN certificates yourself, continue scrolling. However, before that, let us first review a few things to keep in mind during a cert renewal.

What to keep in mind during certificate renewal

Please heed the following during any certificate renewals.

• Keep your cert details up-to-date as you’d need them at the time of renewal for re-validation.
• In the case of a few CAs, you’ll have to complete the DCV (Domain Control Validation) steps via email if your server is also hosting a website with the same SSL certificate.
• Some VPNs rely on HTTPS validation while some favor DNS-based ones.
• If you have an OV (organization validation) or EV (external validation) certificate, the CA will have to revalidate it. Hence, you must provide the necessary documents to the CA

Guide to renew Cisco AnyConnect VPN certificate with ASDM

You’re ready to learn to renew Cisco AnyConnect VPN self-signed certificates. We will be using ASDM (Cisco Adaptive Security Device Manager) for our two-step process:

1. Create CSR using ASDM

Run the Certificate Manager on your device. In this case, we will be using Cisco ASDM. Now:

1. Go to the Configuration menu of ASDM.
2. Then, select Device Management.
3. Click on Identity Certificates and then “Add.” This will open a new window for you to add a certificate to renew.
4. Hence, select the Add a new identity certificate ratio button on the screen and proceed to choose your key pair from the drop-down menu.
   • We don’t recommend using the Default-RSA-Key because if you renew your SSH key, it will invalidate your certificate as a whole. Thus, follow either of these two steps to continue:
     1. Create a New key
     2. Enter the key pair name and generate an existing key
5. After you have selected the key pair, proceed to fill out the certificate details.
6. Once done, click on Ok and then on the Add button. Your certificate will get added to the list.
7. Now go to the Identity Certificate Request option and save your CSR as a .txt file. Then click on OK to continue.
   • Meanwhile, you can also verify that the CSR is pending in ASDM.
8. Submit the certificate request to the CA in question and wait for an update. The submission can get done via the VPN web interface, email, or directly to the root CA server.

2. Renew pending CSR

Complete these steps to renew the Cisco AnyConnect VPN certificate through installation:

1. Go back to the Configuration tab.
2. Open Device Management, and from there, select Identity Certificates.
3. Now, select the pending CSR and click install.
4. After that, open the Install Identity Certificate window and click on Paste Certificate In Database-64 format button. On the popup, click on Install Certificate. You can also install the certificate from an email or a .cer file.

A new window, that confirms the certificate got installed correctly, opens. Now:

1. Click on OK to confirm the installation.
2. Now, go back to the Identity Certificates segment to ensure that the certificate is active.
3. All that’s left now is to bind the renewed certificate to the VPN server. Thus, follow these steps:
   1. Again, go to Configuration.
   2. Click on Device Management.
   3. Now select Advanced and click on SSL Settings.
   4. Here select the server you want the certificate to function on.
   5. Save the file to ASDM or CLI (command-line interface).