Cisco ASA Anyconnect Local CA

This topic is to discuss the following lesson:

Hello Rene, first congratulations for your lessons, I have read many of them, and I have liked them all.
Now I have two questions regarded this lesson:

    <li>Is it mandatory to create/configure the Anyconnect connection first before to create the Local CA Server as you mentioned in the beginning?</li>
    <li>After the exportation from the PC and the importation in the Cisco ASA do I have to repeat that procedure (export from PC and Import in ASA) in every PC or device that I have to connect?</li>

Thank you in advance

Hi Hector,

It’s not mandatory, you could configure the local CA first. The configuration for anyconnect is pretty much the same so that’s why I referred to the previous example.

The certificate that we exported to the computer and then back to the ASA is something you only have to do once…the ASA will present this certificate to the user so that the user can authenticate the ASA.

User certificates are easier to enroll. They can fetch it using their webbrowser.


Hi Rene

“Cisco ASA Anyconnect Local CA” Means ASA act like a CA?
I don’t want a group(In your example SSL_USERS) means users does not have a choice to select group from the combo box called groups . I think if I don’t need the groups I really dont’need this part " tunnel-group MY_TUNNEL webvpn-attributes " .

In that case how do I enable double auth like username (ldap ) and certificate .

If I am using a self signed certificate double authentication is part is same ? .How do i generate certificate for the end users if i am using a self signed certificate in asa ?


Hi Sims,

That’s right, the ASA is the CA that creates certificates here. Although it works, I think it’s a better idea to use an external CA for your certificates.

The following command allows users to select a group:

ASA1(config)# webvpn
ASA1(config-webvpn)# tunnel-group-list enable 

If you remove it, users shouldn’t be able to get that option anymore.


Hi Rene,

I follow you instruction. It works great. Thank you.

But in my real job, I am trying to use a Microsoft server as a external CA. I find it very difficult to implement it. I spent 3 days but could not success.

I wonder if you have suggestions for me or could you show me a link that works.



Hi Loc,

Microsoft CA servers can be difficult to work with. I don’t have an exact example for the ASA. The only time I wrote something about Microsoft CA is when I did an example about a Wireless LAN controller where we use certificates for end users: