OneConnect VPN certificate not trusted

Last modified on 12 Oct, 2021. Revision 9
Helps you troubleshoot certificate issues when using OneConnect v3 and newer
Up to date for
cOS Core 13.00.09 and up
Supported since
cOS Core 13.00.09
Not valid for
cOS Core 13.00.08 and older
Status OK
Author
Karsten Knecht

Description

When trying to initiate a connection with Clavister OneConnect Client you may get the following error.

Windows: Server certificate is not trusted by Windows
iOS: Invalid certificate format

BackgroundCertification validation is done in several steps.

If there is a mismatch (for example you enter the IP address instead of the FQDN, or the certificate is not trusted) you get the described error.

Solution

  1. Make sure that your certificate fits the requirements and has the correct FQDN
  2. Import the certificate incl. private key in your NetWall under /Objects /General /Key Ring. Type must show as Local.
  3. Select the certificate as HTTPS certificate under /System /Device /Device Settings /Remote Management → /Advanced Settings
    Be aware that this is also the certificate of your Web-User-Interface!
  4. Import the certificate to your clients system certificate store.
    1. If the certificate is bought from a well-known CA authority you should be able to skip this step, as your computer already trusts the according CA.
    2. If the certificate is self-signed then you need to import it on all clients using OneConnect. Please follow the documentation of your operating system on how to do this.
      1. Note: The private key should not be exported.



Related articles

Configure OneConnect V.3 for macOS, iOS and iPadOS towards NetWall
9 Aug, 2021 sslvpn openconnect oneconnect macos ios netwall
Configure the Android OpenConnect client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect 3 for Windows towards Clavister NetWall
7 Jul, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
Configure the OpenConnect-GUI client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect macos windows linux core