We will be migrating over to a new CA this year, so I need Anyconnect to match on more than one possible ISSUER-CN. Since all devices won't be cut over to the new CA all at once, I need it to effectively:
-send any cert from existing CA1
-OR-
-any cert cut by new CA2 etc.
I've tried:
-with wildcarding and without
-with Cert store "All and Machine"
but I always get a cert validation error.
If I remove this new cert match everything works fine, so this is a known working configuration otherwise.
It's not even reaching out to the headend when the extra entry is in the xml, which makes me think it's doing a -AND- evaluation instead of an -OR-.
I imported the cert chain on the client and the headend, but don't have a device cert cut by the new CA (But i shouldnt have to), Only a valid one from the current CA.
Have any of you guys set this up?
Thanks!