When creating a VPN from an iPhone to Astaro Security Gateway, 'Could Not Verify Server Certificate' error displayed

  • Article ID: 116162
  • Rating:
  • 9 customers rated this article 3.9 out of 6
  • Updated: 24 May 2012

Issue

When you attempt to create a VPN from an iPhone to Astaro Security Gateway (ASG) using the Cisco VPN client, an error occurs stating that the iPhone 'Could Not Verify Server Certificate'.

Known to apply to the following Sophos product(s) and version(s)


Sophos UTM
Astaro Security Gateway / Sophos UTM

Operating systems
V7, V8, V9

Cause

When first set up, the hostname of the ASG was not a fully qalified domain name, or the FQDN has since changed.

To confirm this, 

  1. Go to Remote Access | Cisco (tm) VPN Client and locate the server certificate.
  2. Go to Remote Access | Certificate Management and locate the certificate used in the VPN configuration ("local X509 Cert" by default).

The VPN ID should be an FQDN, if it is not, then you must create a new certificate as described below.

What To Do

Follow these steps to create a new server certificate that the iPhone can verify.

  1. To Create a new certificate, you will probably want to copy the information from the original certificate.To view this information, 
    • under Remote Access | Certificate Management click "download" for the required certificate, choose 'PEM' format.
    • Open the certificate in any text editor.
  2. Still under Certificate Management, click "New Certificate".
  3. Enter information into the form to create a new certificate.  Most fields are arbitrary, but you must make the VPN ID type "hostname" and the hostname must match the public hostname of the ASG. 
  4. Save the certificate.
  5. Go to Remote Access | Cisco VPN Client and select the new certificate as the server certificate and save. 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments