SSL VPN Certificate Authentication

imanv · ‎07-29-2025

I'm looking for a way to send the non-exportable certificate request from clients using different OS ( Windows, Linux and Mac). Then check them on CA server. After approval, the non-exportable certificate become available to client to install. Then I configure the SSL VPN authentication based on the certificate common name in SSL VPN instead of username.

The problem is I don't have any example or tools to generate non-exportable certificates for different OS users.

I have Cisco ISE 3.3 for AAA parts of the VPN connection, ASA and FTD firewalls, Microsoft Active Directory for users and groups and Microsoft CA server.

Would you please share me your idea about the non-exportable certificate generating ?

MHM Cisco World · ‎07-30-2025

No need to add CA cert in client' client must accept FTD cert

MHM

Jonatan Jonasson · ‎07-30-2025

The non-exportable part is somewhat of an honor agreement, and is a not a part of the certificate itself, but rather operating system specific.

Using your Microsoft PKI and AD, you can deploy, for example, non-exportable computer certificates to AD-joined windows machines. Windows policies are enforcing the non-exportable part.

I believe on Mac also has the concept of importing certificates and making them non-exportable if the key is generated within Secure Enclave. (according to quick google search)

On linux machines, you might be able to enforce non-exportable like behavior if the key is on the TPM.

The certificates themselves do not have the concept of being non-exportable, this is something you're enforcing at the OS and/or hardware level when either importing or generating the private keys.
So it all depends on how you're managing these endpoints.

---
Please mark helpful answers & solutions
---