Certificate Map Objects

Certificate Map objects are a named set of certificate matching rules. These objects are used to provide an association between a received certificate and a Remote Access VPN connection profile. Connection Profiles and Certificate Map objects are both part of a remote access VPN policy. If a received certificate matches the rules contained in the certificate map, the connection is "mapped", or associated with the specified connection profile. The rules are in priority order, they are matched in the order they are shown in the UI. The matching ends when the first rule within the Certificate Map object results in a match.

Navigation

Objects > Object Management > VPN > Certificate Map

Fields

  • Name—Identify this object so it can be referred to from other configurations, such as Remote Access VPN.

  • Mapping CriteriaSpecify the contents of the certificate to evaluate. If the certificate satisfies these rules, the user will be mapped to the connection profile containing this object.

    • FieldSelect the field for the matching rule according to the Subject or the Issuer of the client certificate.

      If the Field is set to Alternative Subject or Extended Key Usage the Component will be frozen as Whole Field

    • ComponentSelect the component of the client certificate to use for the matching rule.

      Note

      SER (Serial Number) component - Ensure you specify the serial number for the Subject field. The certificate map only matches with a serial number attribute in the subject name.

    • OperatorSelect the operator for the matching rule as follows:

      • Equals—The certificate component must match the entered value. If they do not match exactly, the connection is denied.

      • Contains—The certificate component must contain the entered value. If the component does not contain the value, the connection is denied.

      • Does Not Equal—The certificate component cannot equal the entered value. For example, for a selected certificate component of Country, and an entered value of US, if the client county value equals US, then the connection is denied.

      • Does Not Contain—The certificate component cannot contain the entered value. For example, for a selected certificate component of Country, and an entered value of US, if the client county value contains US, the connection is denied.

  • ValueThe value of the matching rule. The value entered is associated with the selected component and operator.