Cisco VPN Error 31 Certificate Won't Install

Updated April 17, 2017

A certificate is a data file issued by a certification authority (local or remote) to an individual or organisation to identify them for online services purposes. On a network, the need to identify the user is always paramount. To overcome that problem an organisation may apply for a certificate of authentication. The certification authority (CA) will keep one part of the certificate on hand and release another part to the organisation. When it comes time to authenticate a person's identity, the organisation requests a certificate from the CA. If the two parts match, then they have authenticated the user. According to Cisco, error 31 describes a certificate associated with a virtual private network (VPN) and this certificate no longer exists.

Click the "Start" icon in the lower left of the screen, select "Programs" and click "Cisco Systems Inc VPN client" followed by "Certificate Manager." This launches the VPN Client Certificate Manager program in order to get a new certificate.

Click the "Personal Certificates" tab. Enter the password you intend to use to protect the certificate. For the enrolment type, select "File." This will prompt you for a file name; type "Client1.req."

Choose the "Base 64 encoded" radio button for the type of enrolment file. Fill out the enrolment form, and click "Next" and "Finish" when the enrolment form is complete. This will put you back in the VPN Client Certificate Manager.

Select the "Enrollment Requests" tab. Call up the CA server and select "Request a certificate" and "Advanced request." Now select the radio button, "Submit a certificate request using a base 64 encoded PKCS #10 file or a renewal request using a base 64 encoded PKCS #7 file." Click "Next" where the VPN client certificate request information appears.

Highlight the VPN client request file, press "Ctrl" + "C" to copy it and paste it to the CA server under Saved Request. Then click "Submit."

Go to the CA server, select "Pending requests," then select "All tasks" and "Issue." This produces the root and identity certificates. Download them to the VPN client; select the radio button "Check on a pending certificate." Follow that with "Base 64 encoded." Now you can download the CA certificate from the CA server. Save the file; type "client-certificate." The file type is security certificate.

Choose the root certificate file to download from the "Retrieve the CA Certificate or Certificate Revocation List" page. Type "client-root-certificate" and click "Save." Note: A client certificate authenticates a network client; the CA signs it. On the other hand, a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority. In other words, the client certificate identifies the client; the root certificate identifies the CA.

Select "Certificate Manager," select "CA Certificate," then select "Import" and type or select the "client-root-certificate." This imports the root certificate.

Select "Certificate Manager," then "Personal Certificates" followed by "Import." This imports the client certificate. Now both the root and client certificates are on the system. Error 31 will not appear any longer.

Cite this Article A tool to create a citation to reference this article Cite this Article

About the Author

George Garza began writing professionally in 2003. He has worked as a computer instructor, programmer and network engineer and writes for various websites. He holds certifications in Cisco's CCNA and CCNP and Microsoft's MCSE, MCITP and MCTS. Garza has a Bachelor of Arts in philosophy from the University of Texas and a Master of Science in computer information systems from the University of Liverpool.