Same problem as Alex here, I can't spot a difference between these 2 commands, but only the openssl one works with AnyConnect client. - openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "service" -certfile ca-cert.pem -out user.p12 - certtool --to-p12 --load-ca-certificate ca-cert.pem --load-privkey user-key.pem --load-certificate user-cert.pem --outfile user.p12 Am I right to believe both openssl and certtool choose 3des cipher by default? Both certs work on Windows, so I suspect the issue is with AnyConnect, but might worth figuring out why. PS: tried AES cipher as well with certtool, same "Certificate Enrollment - Certificate import has failed." message on import, but no error shown in AnyConnect debug log.
