We need to put to work an access-VPN (remote clients to PIX firewall) with a Microsoft CA. We already have a Microsoft CA working with a Web-based application and would like to use the same CA for the VPN but we do not want to have users being able to mess up by using certificates issued for web access with the VPN. We know that Microsoft CA can generate certificates with flags that indicate suitable uses for the certificate (web access, VPN, etc) in addition to specifying signature/encryption only certificates.

Our question is: will Cisco VPN clients and the PIX firewall understand the flags that specify that the certificate should only be used for VPN or web access?