Extended Certificate Key Usage Matching; Certificate Distinguished Name Mapping - Cisco 5505 - ASA Firewall Edition Bundle Administrator's Manual

Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles
•
•
•
•
•
•
The profile can contain none or more matching criteria. If one or more criteria are specified, a certificate
must match at least one to be considered a matching certificate.
The example in
attributes.

Extended Certificate Key Usage Matching

This matching allows an administrator to limit the certificates that can be used by the client, based on
the Extended Key Usage fields.
object identifiers (OIDs).
Constraint
serverAuth
clientAuth
codeSign
emailProtect
ipsecEndSystem
ipsecTunnel
ipsecUser
timeStamp
OCSPSign
dvcs
As an administrator, you can add your own OIDs if the OID you want is not in the well known set. The
profile can contain none or more matching criteria. A certificate must match all specified criteria to be
considered a matching certificate. See profile example in
XML Schema"

Certificate Distinguished Name Mapping

The certificate distinguished name mapping capability allows an administrator to limit the certificates
that can be used by the client to those matching the specified criteria and criteria match conditions.
Table 7-4
OL-12950-012
DATA_ENCIPHERMENT
KEY_AGREEMENT
KEY_CERT_SIGN
CRL_SIGN
ENCIPHER_ONLY
DECIPHER_ONLY
Certificate Matching Example, page 7-15
Table 7-3
OID
1.3.6.1.5.5.7.3.1
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.3
1.3.6.1.5.5.7.3.4
1.3.6.1.5.5.7.3.5
1.3.6.1.5.5.7.3.6
1.3.6.1.5.5.7.3.7
1.3.6.1.5.5.7.3.8
1.3.6.1.5.5.7.3.9
1.3.6.1.5.5.7.3.10
for an example.
lists the supported criteria:
Table 7-3 lists the well known set of constraints with their corresponding
Extended Certificate Key Usage
Appendix A, "Sample AnyConnect Profile and
Cisco AnyConnect VPN Client Administrator Guide
Configuring Profile Attributes
shows how you might configure these
7-13