Certificate problem using SSL VPN together with MacOS version 11.1 and up

Last modified on 2 Feb, 2021. Revision 5
Clients are running into a certificate issue when trying to access SSL VPN from MacOS "Big Sur" version (11.1)
Up to date for
cOS Core all versions
MacOS version 11.1 and up
Status OK


Author:
Musab Osman

Problem symptom

Solution

Big Sur is requiring a self-signed certificate with alternative DNS name which can be created with the following steps:

  1. Access the firewall WebUI using Chrome or Firefox browser and if encountering any certificated issue write blindly "thisisunsafe" and press enter and then we will be able to see the login page if we wrote the text correctly.
    1. By write blindly, we mean that when clicking on any place on the page and then type the text "thisisunsafe" on the keyboard. We won’t be able to see the typing text on your screen, we just have to execute it by pressing Enter when done (a hidden command).
  2. After login Go to Objects→ GENERAL→ Key Ring and click on add certificate, and then on configure under General Certificate, change the Certificate type to self-signed, then enter a proper subject name and subject alternative name as "*.clavister.com", change the public key type to RSA instead of EC. Optionally it is also possible to increase the certificate validation, when done click on Generate.
  3. Now we need to configure the new certificate to be used by the firewall for WebUI login and SSL VPN connection as following:
    1. Go to System→ Remote Management→ Advanced Settings. Under WebUI→ HTTPS Certificate and change the certificate to the new self-signed certificate that was created.
    2. Deploy the configuration change.
    3. From MacOS device were the SSL client is installed try to access the firewall with HTTPS using Safari browser instead of Chrome and Firefox. We will get "This connection is not private" message, click on show details and then click on visit this website and the certificate will be added to the keychain login certificates automatically.
  4. Start the client by running the login with SSL VPN towards the firewall.

Note: It is not possible to access the firewall using Safari browser on Mac Big Sur with the default “HTTPSAdminCert”.


Related articles

Configure OneConnect V.3 for macOS, iOS and iPadOS towards NetWall
9 Aug, 2021 sslvpn openconnect oneconnect macos ios netwall
Configure the Android OpenConnect client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect 3 for Windows towards Clavister NetWall
7 Jul, 2021 sslvpn openconnect oneconnect windows
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
12 Oct, 2021 oneconnect sslvpn
Configure the OpenConnect-GUI client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect macos windows linux core