OneConnect VPN certificate not trusted

Last modified on 18 Mar, 2024. Revision 18
Helps you troubleshoot certificate issues when using OneConnect v3 and newer
Up to date for
cOS Core 13.00.09 and up
Supported since
cOS Core 13.00.09
Not valid for
cOS Core 13.00.08 and older
Status OK
Author
Karsten Knecht

Description

When trying to initiate a connection with Clavister OneConnect Client you may get the following error.

Windows: Server certificate is not trusted by Windows
iOS: Invalid certificate format

Background

Certification validation is done in several steps.

  • First Client initiates a connection to the configured NetWall (vpnserver.mydomain.com). 
  • Next, the Netwall presents it's system certificate. The subject field needs to contain the correct DNS name(s) (FQDN), either vpnserver.mydomain.com (or *.mydomain.com when using a wildcard certificate).
  • If the first two steps are successful the certificate will be checked against the clients system certificate store.

If there is a mismatch (for example you enter the IP address instead of the FQDN, or the certificate is not trusted) you get the described error.

  • Windows: Server certificate is not trusted by Windows.
  • Windows: Server Certificate is not valid for the requested usage. This error is also returned if the certificate has an invalid name.

Solution

  1. Make sure that your certificate fits the requirements and has the correct FQDN
  2. Import the certificate incl. private key in your NetWall under /Objects /General /Key Ring. Type must show as Local.
  3. Select the certificate as HTTPS certificate under /System /Device /Device Settings /Remote Management → /Advanced Settings
    Be aware that this is also the certificate of your Web-User-Interface!
  4. Import the certificate to your clients system certificate store.
    1. If the certificate is bought from a well-known CA authority you should be able to skip this step, as your computer already trusts the according CA.
    2. If the certificate is self-signed then you need to import it on all clients using OneConnect. Please follow the documentation of your operating system on how to do this.
      1. Note: The private key should not be exported.

Using public certificates in Clavister NetWall (cOS Core) for OneConnect

If you want to use a public certificate for your clients, please refer to the following article in this Knowledge Base: Configuring public certificates in NetWall firewalls

Using self-signed certificates in Clavister NetWall (cOS Core) for OneConnect

 An example on how to generate a self-signed certificate from Cos Core itself.

  1. Navigate to Object->Key Ring
  2. Click the drop-down menu Add->Certificate
  3. Provide a name to the Certificate (eg., Oneconnect_160)
  4. Under Generate Certificate Sub-menu ->Click Configure->It will open a Certificate Generator Pop-Up window.



     5. Select the Certificate Type as Self-Signed.

     6. Provide the Subject Name and Subject Alternative Name along with Key size and Type details.

         Example:

  • Subject name = CN=Clavister
  • Subject Alternative Names = 10.122.137.160
  • Public Key Type : RSA or EC
  • Key Size : 2048 bits
  • Signature Algorithm : SHA-256
  • Validity : 365 days 

   7. Click Generate.


   8. Once when the certificate is successfully generated, verify and download.




Important: Client hostname must match certificate hostname

A specific requirement when using certificates with the OneConnect Interface is that the

hostname value entered into the clientmust be the same as either the Common Name

(CN) or one of the Subject Alternative Name (SAN) options in the certificate used by the

cOS Core OneConnect Interface**.


Note that the One connect VPN client profile must be specified with a IP Address or a FQDN that matches with the certificate in the Cos Core.

The above image is taken from the Windows One connect VPN client

    9. Select the certificate as HTTPS certificate under /System /Device /Device Settings /Remote Management → Advanced Settings.

  10. Import the certificate to your client system certificate store.


Additional Notes

Certificate validity period max. one year

If you are using public certificates, please make sure that they are valid no longer than one year. SSL/TLS certificates issued after September 1, 2020 with a validity period greater than 398 days will not be trusted by Apple’s Safari browser and iOS/iPadOS/ devices for security reasons.

Self-signed certificates should not be affected by this rule as per today. But that could change anytime.



Related articles

Brian Smart Search (Beta)
15 Jan, 2024 dictionary troubleshoot core stream incontrol incenter oneconnect cloudservice
Configure Clavister OneConnect using deep links
13 Jun, 2022 oneconnect macos ios windows android
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
28 Apr, 2023 openconnect oneconnect macos ios iphone
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Howto - Userbased rules
27 Feb, 2024 oneconnect userbased core
Changing the certificate used by the OneConnect client/server
28 Nov, 2022 core configuration oneconnect
Changing the certificate used by cOS Core's SSL VPN client/server
25 Nov, 2022 core configuration sslvpn management
Clavister OneConnect server using cOS Core as CA Server
11 May, 2023 oneconnect certificate howto
Background apps premission
27 Aug, 2024 oneconnect windows
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core