Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
186
Views
0
Helpful
0
Replies

ASA Cert Matching Foo

steve.horton
Level 1
Level 1

‎01-29-2024 02:53 AM

We will be migrating over to a new CA this year, so I need Anyconnect to match on more than one possible ISSUER-CN. Since all devices won't be cut over to the new CA all at once, I need it to effectively:

-send any cert from existing CA1

-OR-

-any cert cut by new CA2 etc. 

I've tried:

-with wildcarding and without

-with Cert store "All and Machine"

but I always get a cert validation error. 

If I remove this new cert match everything works fine, so this is a known working configuration otherwise. 

It's not even reaching out to the headend when the extra entry is in the xml, which makes me think it's doing a -AND- evaluation instead of an -OR-.

I imported the cert chain on the client and the headend, but don't have a device cert cut by the new CA (But i shouldnt have to), Only a valid one from the current CA. 

 

Have any of you guys set this up? 

Thanks!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents