Hi All.

Our goal is to ensure the AnyConnect VPN is only able to be used by corporate devices. 

Our expectation is that we can use Group Policy (or similar) to push a certificate to all computers that connect to the VPN, and this certificate is validated by the ASA.

We desire the certificate to be non-exportable so that it cant be used on another computer. 

We create our internal certificates using XCA (Like OpenSSL) and have an internal CA and intermediate CA already configured.

Using XCA I have created a CA, an Intermediate CA, and a 'client' certificate.

On the ASA I have installed the client cert and the CA's

And on the SSL settings I have configured the outside interface to use this identity certificate

And I have installed the client certificate onto the test computer

Now when I connect using the new VPN Profile I have created, it prompts me for the certificate, and it connects succesfully. 

If I select a random certificate, it does not connect. As expected

The problem is such: using windows certificate manager I can export the certificate off the computer without the private key. and this exported (keyless) certificate can then be installed on another computer and still connects

It seems the ASA is not validating that the private key is present in the client computer. 

I suspect this is something to do with the Certificate Matching or Certificate Pinning or something in the AnyConnect Client Profile but I cant seem to get it to work. 

This guide has been pretty helpful

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html#anc18

But it even in this guide it shows screenshots of the client certificate without any private key. 

Can someone point me in the right direction for validating the private key on the client? Cheers!