On Wed, Sep 16, 2015 at 5:20 PM, Dangyi Liu <leedypku at gmail.com> wrote: > Hi, > I have successfully made password authentication work with iOS AnyConnect and ocserv 0.10.8. But when I try to change to certificate authentication, it complains > client certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. > I followed every instruction in http://www.infradead.org/ocserv/manual.html. However, when I execute "certtool --to-p12?, it prompts "Enter a name for the key: ? which is not mentioned in manual. Is it related to my problem? Or maybe I just have a wrong config? The issue is in the client. You need to instruct the client that it needs to trust the certificate. I guess there should be such an option in its UI. regards, Nikos