certificate update questions

andre.frost · ‎07-06-2016

Hello,

for Windows Anyconnect client if certificate expires a new certificate is issued by internal PKI and send to client machines.
Now the client has 2 certificates, the expired one and the new one. If user connect Anyconnect stops working and there is an option to choose which certificate to use. But this is not a suitable option for the client, the client does not want their users to choose which certificate to use.
Is there a way that AnyConnect automatically chooses the active certificate?

Thanks

JP Miranda Z · ‎07-07-2016

Hi andre.frost,

This documentation will give you the steps to follow:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-vpn.html#ID-1428-00000555

AutomaticCertSelection
o If you use the AutomaticCertSelection set to false the user should be presented a drop down list with the certificates he can use
o If this option is set to true, the system API returns the certificates in it's own order

Having the API doing their own check order is not fully recommended since this one could select the wrong certificate.

On the same document you have the option of using certificate matching which is going to set a criteria to be checked on the certificate.

Hope this info helps!!

Rate if helps you!!