Ubuntu Cisco AnyConnect Setup: Custom Certificate Installation Guide

author
By PS

27 October 2024

VPN

How to Install and Configure Cisco AnyConnect on Ubuntu with Custom Certificates

In this guide, we'll walk through the process of installing Cisco AnyConnect on Ubuntu, converting certificate files for use with AnyConnect, and setting up a script to manage multiple certificates for different VPN connections.

This step-by-step guide is designed for users who need to install AnyConnect on their Ubuntu system, particularly for those working with certificate-based VPN authentication.

Step-by-Step Guide

  1. Download Cisco AnyConnect for Linux

    To get started, you'll need to download the Cisco AnyConnect Secure Mobility Client from Cisco's official website. You can follow this link for detailed download instructions and ensure you have the correct version for your system.

  2. Extract the AnyConnect Installation Files

    After downloading the tar file, extract it using the following command:

    bash
    tar -xvf anyconnect-linux64-4.10.07061-k9.tar.gz
cd anyconnect-linux64-4.10.07061-k9

    This command extracts the AnyConnect files and moves you into the extracted directory.

  3. Install Cisco AnyConnect

    To install Cisco AnyConnect, run the installation script with sudo:

    bash
    sudo ./vpn_install.sh

    Follow the on-screen prompts to complete the installation. This script will install AnyConnect on your system, allowing you to connect to VPNs securely.

  4. Convert .pfx Certificate to .pem and .key Formats

    If you need to use certificate-based authentication with AnyConnect, you will likely have a .pfx file. You'll need to convert this .pfx file into separate .pem and .key files that AnyConnect can recognize. The following commands do this:

    bash
    openssl pkcs12 -in certificate.pfx -out certificate.pem -nokeys
openssl pkcs12 -in certificate.pfx -out certificate.key -nocerts
    • The first command extracts the public certificate (.pem).
    • The second command extracts the private key (.key).

    Be sure to save these files in a directory where you'll easily find them later, such as ~/certificates.

  5. Place the Certificate Files in the Correct Directories

    AnyConnect checks various locations for certificates, including those used by web browsers. However, to ensure AnyConnect can find your certificates, you should manually create the required directories:

    bash
    mkdir -p ~/.cisco/certificates/client
mkdir -p ~/.cisco/certificates/client/private

    Now, copy or move the .pem and .key files into the respective directories:

    bash
    cp ~/certificates/certificate.pem ~/.cisco/certificates/client/
cp ~/certificates/certificate.key ~/.cisco/certificates/client/private/

    Make sure the certificate and key files have the correct access rights so that AnyConnect can read them.

  6. Handling Multiple Certificates with a Script

    If you need to switch between multiple certificates for different VPN connections, you can automate the process using a simple Bash script. This script allows you to select and symlink the desired certificate pair into AnyConnect's directories before connecting to the VPN.

    First, create the following Bash script:

    bash
    #!/bin/bash

# Define your certificate directory
CERT_DIR=~/certificates

# List available certificates (.pem files only)
echo "Available certificates:"
select CERT in "$CERT_DIR"/*.pem; do
    if [ -z "$CERT" ]; then
        echo "Invalid selection. Please try again."
    else
        echo "You selected: $CERT"

        # Construct corresponding .key file path
        CERT_KEY="${CERT %.pem}.key"

        # Check if the key file exists
        if [ ! -f "$CERT_KEY" ]; then
            echo "Error: Corresponding key file not found for $CERT"
            exit 1
        fi

        echo "Using corresponding key: $CERT_KEY"

        # Symlink the selected certificate and key into Cisco directories
        ln -sf "$CERT" ~/.cisco/certificates/client/certificate.pem
        ln -sf "$CERT_KEY" ~/.cisco/certificates/client/private/certificate.key

        echo "Symlinks created for $CERT and $CERT_KEY"
        break
    fi
done

    How to Use the Script:

    1. Save the script to a file, for example, switch-certificates.sh.
    2. Make the script executable:
      bash
      chmod +x switch-certificates.sh
    3. Run the script:
      bash
      ./switch-certificates.sh

    This script will present a list of available .pem files in your ~/certificates directory. Once you select a certificate, it will symlink the corresponding .pem and .key files into the AnyConnect directories, making them the active certificate for your next VPN connection.

  7. Connect to the VPN Using Cisco AnyConnect

    Once you've set up the certificates, you can launch Cisco AnyConnect from your system's application menu. When you connect to the VPN, AnyConnect will ask you for the password you set for the .key file during the conversion process. After entering the correct credentials, you should be able to authenticate and connect to your VPN.

Conclusion

Installing Cisco AnyConnect and configuring it to work with custom certificates on Ubuntu is straightforward when you follow the right steps. By converting your .pfx files to .pem and .key, placing them in the correct directories, and using a script to manage multiple certificates, you can streamline your VPN connection process.

Popular Tags :

Ubuntu ServerCisco AnyConnectVPNNetwork Security
Share this post :