Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
1
Replies

Secure Client Template Identifier

Go to solution
SzantaiNorbert
Level 1
Level 1

‎01-21-2025 04:15 AM

Dear All,

Starting with Secure Client 5.0 we have the ability to automatically select a certificate based on the template identifier:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/admin/guide/b-cisco-secure-client-admin-guide-5-0/anyconnect-profile-editor.html

"

Template Identifier—Provides a different way to match certificates in the Profile Editor Certificate Match panel and includes additional filtering of the Template Name and Template Information Certificate fields. To minimize the number of certificates to send to the Secure Firewall ASA, you can provide a certificate Template Identifier by clicking Add. This customized identifier allows you to send only those certificates that match the given criteria, thus reducing connection time because less certificates are sent for authentication. For example, you can establish different templates based on how privileges vary for business groups and provide filtering beyond general DN-based fields.

  • Template Identifier—Provide the string-based extension for the certificate or the OID (Template Information extension) that identifies the Template Name (OID:1.3.6.1.4.1.311.20.2) AND Template Information (OID: 1.3.6.1.4.1.311.21.7) to use for cert generation.

Does anyone know how this works? I’ve tried using the OIDs from my own certificate, but it doesn’t work. Based on the DART logs, the Secure Client cannot find a certificate that matches the criteria.
I’ve tried using the full OID from my certificate, the string-based extension, and the OID, but none of these worked.

Regards,

Norbert

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
SzantaiNorbert
Level 1
Level 1

‎04-15-2025 05:26 AM

Turned out that you have to use a different OID.

Not the 1.3.6.1.4.1.311.21.7, but the 1.3.6.1.4.1.311.21.8, and use the full OID in the XML:

SzantaiNorbert_0-1744719946181.png

Regards,
Norbert

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
SzantaiNorbert
Level 1
Level 1

‎04-15-2025 05:26 AM

Turned out that you have to use a different OID.

Not the 1.3.6.1.4.1.311.21.7, but the 1.3.6.1.4.1.311.21.8, and use the full OID in the XML:

SzantaiNorbert_0-1744719946181.png

Regards,
Norbert

 

0 Helpful
Customers Also Viewed These Support Documents