cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
0
Helpful
3
Replies
Highlighted
Beginner

How to enforce a client certificate?

I need to enforce the certificate used by my VPN client. Is it possible without suppressing the certificates present in the Windows personal and machine stores?

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: How to enforce a client certificate?

Hi,
If you use the AnyConnect VPN Profile Editor, you can select which certificate store All (default), machine or user. The AnyConnect XML file can be pushed out via ASA directly.

Alternatively edit the anyconnect profile xml file, manually and change to the following:

<CertificateStore>User</CertificateStore>

HTH

View solution in original post

Highlighted
VIP Advisor

Re: How to enforce a client certificate?

Hi,

No, there is only the user or machine certificate stores, you cannot further segregate.

 

If you wanted something unique for AnyConnect you could create a unique certificate template e.g "VPNTemplate" on the CA, distribute the certificates to AnyConnect users. Within AnyConnect (using the profile editor) you could match on a specific value only within that template.

 

HTH

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Re: How to enforce a client certificate?

Hi,
If you use the AnyConnect VPN Profile Editor, you can select which certificate store All (default), machine or user. The AnyConnect XML file can be pushed out via ASA directly.

Alternatively edit the anyconnect profile xml file, manually and change to the following:

<CertificateStore>User</CertificateStore>

HTH

View solution in original post

Highlighted
Beginner

Re: How to enforce a client certificate?

Thanks, can I use a custom store to have a neat certificates segregation, possibly integrated into anyconnect?

Highlighted
VIP Advisor

Re: How to enforce a client certificate?

Hi,

No, there is only the user or machine certificate stores, you cannot further segregate.

 

If you wanted something unique for AnyConnect you could create a unique certificate template e.g "VPNTemplate" on the CA, distribute the certificates to AnyConnect users. Within AnyConnect (using the profile editor) you could match on a specific value only within that template.

 

HTH

View solution in original post