I'm testing certificate based VPN authentication with the ASA and AnyConnect. Things work as I expect for the most part. One question concerns revocation of the certificates. What's the best practice for deploying this type of setup and making sure that if the situation changes that users can't get in via their certificate if I don't want them to? Revoking the cert at the CA doesn't do anything.