The “VPN certificate validation failure” error is exclusive to the Cisco AnyConnect VPN client for Windows, Mac, and Linux. An added reason for a quick solution is that the software is frequently used in a business setting, interconnecting computers into a secure, efficient network. And while it performs wonderfully most of the time, things sure can go wrong unexpectedly. What’s more, employees can’t always reach a network engineer and are often left to their own devices. That’s precisely when we’d like to swoop in and save the day. Let’s demonstrate how to fix the “VPN certificate validation failure” error.
1. Go through standard troubleshooting steps
Before you get into an array of unnecessary steps, make sure the problem isn’t a glitch, bug, or temporary downtime. By this, we mean going through steps 1 through 6 in our “VPN connection failed. The Request was aborted” error fix guide. Once you’ve tried that and it didn’t work, press on.
2. Double-check the VPN client profile
In essence, you need to verify the hostname and host address are still valid. Even if you haven’t made changes manually, your network admin might have, to the server or the client. To demonstrate this, we’ll use Cisco AnyConnect VPN client profile on macOS:
- Find the profile file with a .XML extension in the “/opt/cisco/anyconnect/profile” folder.
- Confirm that the bolded parts are still correct:
<ServerList>
<HostEntry>
<HostName> Hostname for VPN </HostName>
<HostAddress> FQDN (Fully Qualified Domain Name) or server’s IP address </HostAddress>
</HostEntry>
</ServerList>
3. Has the SSL/TLS certificate expired?
A common cause of the “VPN certificate validation failure” error is the expiration of the SSL certificate. While in the past they were issued for longer, in 2021 the period is reduced to either 12 months or 13 months (397 days). Although there are many ways to do this, we’ll use the ASDM client to demonstrate checking SSL/TLS certificate expiration date:
- Open the ASDM interface for your device and operating system. We’ll use Windows Cisco ASDM for ASA.
- Switch to the Configuration tab in the top left corner.
- Go to Device Management, then Certificate Management.
- Select CA Certificates.
- Click the Show Details button on the right-hand side.
- In the General tab, check the dates listed under Valid From and Valid To.
4. Install a new SSL or TLS certificate
If your certificate expired, then you know regenerating them is the way to fix the “VPN certificate validation failure” error. Here’s what to do:
- Follow steps 1 through 4 above.
- Highlight expired certificates and click on the Delete button to remove them.
- Download renewed certificates.
Tip. We’ll demonstrate this using “DigiCert CA” chain certificates: High Assurance EV Root CA and SHA2 High Assurance Server CA, available at www.digicert.com/digicert-root-certificates.htm. - After downloading, go back to the CA Certificates window and click on the Add button.
- On the Install Certificate window, click on the Install from a file button.
- Click on Browse…, select a digital certificate file, then click on Install.
- Finally, click on Install Certificate, then Send at the Preview CLI Commands prompt.
- Repeat steps 4-8 for the other certificate file.
I want to use the PEM client certificate. What should I do?
So, you’re using AnyConnect VPN on Linux or Mac. If you haven’t installed certificates yet, download the client certificate and its private key and place them here:
- “~/.cisco/certificates/client/” (certificate here)
- “~/.cisco/certificates/client/private/” (private key here)
Clarification. The certificate must end with .pem while the private key must end with .key. Also, they must have identical file names.
5. Configure cryptography
Although there are ways to do this within the GUI, it’s much quicker and easier to simply run CLI (command-line interface) commands. Here’s what you can try:
1. Allowing SSL client certificates to be used on the outside
This is a step Cisco itself recommends as a permanent fix for the “VPN certificate validation failure” error. It simply makes client-side certificates available externally. Here’s how to proceed:
- Launch Cisco Client CLI like this:
- Windows. Go to “C:/Program Files/Cisco/Cisco AnyConnect Secure Mobility Client” then open a file named vpncli.exe.
- Mac or Linux. Visit the “/opt/cisco/anyconnect/bin/” location and open the file named vpn.
- Paste the following command before pressing Enter:
ssl certificate-authentication interface outside port 443 - Clarification. This is assuming you’re using IKEv2/IPSec by default. For a different security protocol, replace 443 with the port it communicates over.
2. Fixing TLS version mismatch and changing cryptography method
There’s a chance that your VPN client isn’t up to date, or that there’s some sort of conflict which makes it use TLS 1.0 or TLS 1.1. This creates a problem when your cryptography tries to negotiate TLS 1.2. To fix this, open the CLI and proceed in one of 3 ways:
- Change cipher version by entering:
ssl cipher tlsv1.2 - Adjust TLS 1.2 cipher to use stronger cipher suites by entering this code:
ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5” - Configure the DTLS version and its cipher suites. Type the following command:
ssl cipher dtlsv1 custom “AES256-SHA:AES128-SHA:DES-CBC3-SHA”
6. Enable or disable Windows OCSP Service Nonce
Without getting into specifics, you should know that Microsoft Windows uses RFC 5019 while Cisco AnyConnect VPN’s ASA is only compliant with RFC 2560. As such, on Windows, it won’t accept requests signed by ASA certificates and thus print “VPN certificate validation failure” error. You can fix this in one of 2 ways:
1. Enable OCSP Nonce on Windows Server
Are you (or your company) using an Online Certificate Status Protocol (OCSP) responder on your Windows Server? If so, do this:
- Open your Windows Server OCSP responder client.
- Go to Administrative Tools then Online Responder Management.
- Click on the Revocation Configuration option in the left sidebar.
- Right-click on your certificate and select Edit Properties.
- In the Signing tab, put a checkmark in front of Enable NONCE extension support.
2. Disable Nonce via ASA TrustPoint
Although Cisco recommends the method above, you can also try to disable OCSP via the CLI. After launching the appropriate interface, use these commands:
- ASA(config)# crypto ca trustpoint WIN-2K12-01_Root_CA
- ASA(config-ca-trustpoint)# ocsp disable-nonce
Tip. Replace WIN-2K12-01_Root_CA with the actual TrustPoint name of your certificate (you can see it using method 4).