[OT] [Anyconect] Firefox Certificate Store on Mac OS X is No Longer Supported

jwojda
Valued Contributor II

As an FYI - this is in the release notes for Anyconnect 3.1.05152 / 3.1.05160
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyco...

The Firefox certificate store on Mac OS X is stored with permissions that allow any user to alter the contents of the store, which allows unauthorized users or processes to add an illegitimate CA into the trusted root store. Anyconnect will no longer utilize the Firefox store for either server validation or client certificates.

You must instruct your users how to export your AnyConnect certificates from their Firefox certificate stores, and how to import them into the Mac OS X keychain. The following steps are an example of what you may want to tell your AnyConnect users.

Step 1 Navigate to Firefox > Preferences > Advanced , Certificates tab, click View Certificates .

Step 2 Select the Certificate used for AnyConnect, and click Export .

Your AnyConnect Certificate(s) will be most likely be located under the Authorities category. Please verify with your Certificate Administrator as they may be located under a different category (Your Certificates or Servers)

Step 3 Select a location to save the Certificate(s), for example, a folder on your desktop.

Step 4 In the Format pull down menu, select X.509 Certificate (DER) . Add the .der extension to the certificate name, if required.

Note Note: if more than one AnyConnect Certificate, and/or a Private Key is used/required, repeat the above process for each Certificate)
Step 5 Launch KeyChain. Navigate to File, Import Items…, and select the Certificate that you exported from Firefox.

Step 6 In the Destination Keychain:, select the desired Keychain. The login Keychain is used for this example may not be the one used at your company. Please check with your Certificate Administrator to validate which Keychain your Certificate(s). should be imported to.

Step 7 Repeat the preceding steps for additional Certificates that are used or required for AnyConnect.

0 REPLIES 0