Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client mutual group authentication -- restrict root cert

On a VPN client configured for mutual group authentication to a VPN 3000 headend, is it possible to restrict which root certificate is matched against the VPN concentrator's identity certificate?

Background: multiple CA root certificates are installed on the VPN client for other reasons, but only one CA should be used for the VPN mutual group authentication.


Re: VPN client mutual group authentication -- restrict root cert

As far as I know, there is no option to define this on the VPN client. May be the VPN client tries to match the certificate in the order listed on the client. I am not sure of this, though you can try placing the certificate on the top of the list.

New Member

Re: VPN client mutual group authentication -- restrict root cert

Ordering the list does not help, because I want only to match against certain of all installed root certificates.

Thanks nevertheless ... in the meantime, I found something:

-- VPN client version 4.0.5: no restriction possible, only the certificate store used for matching can be defined (Microsoft, Cisco)

-- VPN client 4.6 and later: with the "VerifyCertDN" keyword in the connection profile, this can be done.

The connection profile attributes "CertName" or "CertSubjectName" are apparently not checked for this type of authentication.

CreatePlease login to create content