Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1802
Views
0
Helpful
3
Replies

How to enforce a client certificate?

Go to solution
alsii
Level 1
Level 1

‎01-21-2019 08:42 AM

I need to enforce the certificate used by my VPN client. Is it possible without suppressing the certificates present in the Windows personal and machine stores?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-21-2019 08:47 AM

Hi,
If you use the AnyConnect VPN Profile Editor, you can select which certificate store All (default), machine or user. The AnyConnect XML file can be pushed out via ASA directly.

Alternatively edit the anyconnect profile xml file, manually and change to the following:

<CertificateStore>User</CertificateStore>

HTH

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to alsii

‎01-23-2019 03:34 AM

Hi,

No, there is only the user or machine certificate stores, you cannot further segregate.

 

If you wanted something unique for AnyConnect you could create a unique certificate template e.g "VPNTemplate" on the CA, distribute the certificates to AnyConnect users. Within AnyConnect (using the profile editor) you could match on a specific value only within that template.

 

HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎01-21-2019 08:47 AM

Hi,
If you use the AnyConnect VPN Profile Editor, you can select which certificate store All (default), machine or user. The AnyConnect XML file can be pushed out via ASA directly.

Alternatively edit the anyconnect profile xml file, manually and change to the following:

<CertificateStore>User</CertificateStore>

HTH
0 Helpful

Go to solution
alsii
Level 1
Level 1
In response to Rob Ingram

‎01-23-2019 01:04 AM

Thanks, can I use a custom store to have a neat certificates segregation, possibly integrated into anyconnect?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to alsii

‎01-23-2019 03:34 AM

Hi,

No, there is only the user or machine certificate stores, you cannot further segregate.

 

If you wanted something unique for AnyConnect you could create a unique certificate template e.g "VPNTemplate" on the CA, distribute the certificates to AnyConnect users. Within AnyConnect (using the profile editor) you could match on a specific value only within that template.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents