08-11-2023 12:29 PM
Can anyone direct me to the details about how to limit the certificates that show up when using AnyConnect VPN client to start a connection? I have about 4 certificates that pop up each time, 3 of which are system certs for things like InTune or O365. The only valid cert is our DoD CAC PIV certificate so I would like to adjust the profile if possible to either list ONLY that cert or automatically select that cert. I would think the CAC PIV is the only cert on the list with "Smart Card Logon (1.3.6.1.4.1.311.20.2.2)" enabled.
Solved! Go to Solution.
08-11-2023 12:47 PM
@kenneth.kirchner you can use the AnyConnect Profile Editor to match on specific certificate attributes, thus automatically selecting the required certificate (ignoring the other 3 certificates).
08-11-2023 12:47 PM
@kenneth.kirchner you can use the AnyConnect Profile Editor to match on specific certificate attributes, thus automatically selecting the required certificate (ignoring the other 3 certificates).
08-13-2023 09:56 AM
Thank you! That looks to be exactly it.
Also, I have this bit of config to help anyone else who's supporting CAC:
<CertificateMatch>
<KeyUsage>
<MatchKey>Non_Repudiation</MatchKey> ***REMOVE LINE***
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Enabled">
<Name>ISSUER-CN</Name>
<Pattern>DOD EMAIL</Pattern> ***remove EMAIL text, just leave DOD***
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide