01-05-2006 07:38 AM - edited 02-21-2020 10:14 AM
On a VPN client configured for mutual group authentication to a VPN 3000 headend, is it possible to restrict which root certificate is matched against the VPN concentrator's identity certificate?
Background: multiple CA root certificates are installed on the VPN client for other reasons, but only one CA should be used for the VPN mutual group authentication.
01-11-2006 08:56 AM
As far as I know, there is no option to define this on the VPN client. May be the VPN client tries to match the certificate in the order listed on the client. I am not sure of this, though you can try placing the certificate on the top of the list.
01-13-2006 01:18 AM
Ordering the list does not help, because I want only to match against certain of all installed root certificates.
Thanks nevertheless ... in the meantime, I found something:
-- VPN client version 4.0.5: no restriction possible, only the certificate store used for matching can be defined (Microsoft, Cisco)
-- VPN client 4.6 and later: with the "VerifyCertDN" keyword in the connection profile, this can be done.
The connection profile attributes "CertName" or "CertSubjectName" are apparently not checked for this type of authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide