Thanks for your quick reply. The 'profile.xml' was copied from the sample directory 'doc' without any changes. This time I modified it on server side as you demonstrated, and also added custom OID value in client certificate's "Properties - Extended Validation" dialog on win7. But it still doesn't work with same error in log file. Then I tried 'openconnect-gui' and selected the client certificate in setting windows. It seems OK except for the repeated prompt "DTLS handshake failed: Resource temporarily unavailble, try again". Thanks. regards, tefeng On 2015/1/9 21:00, David Woodhouse wrote: > On Fri, 2015-01-09 at 20:54 +0800, tefeng wrote: >> It seemed that ACSMC on win7 didn't recognize the certificate (imported >> via 'mmc' command, the same way for strongSwan certificate which works OK). >> >> Any recommendations would be really appreciated. Thanks in adv. > Were you looking for recommendations other than using OpenConnect on > Windows? https://github.com/openconnect/openconnect-gui/wiki > > How does the Cisco client know which certificate to use? In the profile > there is a <CertificateMatch> node which looks something like this: > > <CertificateMatch> > <KeyUsage> > <MatchKey>Digital_Signature</MatchKey> > </KeyUsage> > <ExtendedKeyUsage> > <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> > <CustomExtendedMatchKey>1.2.840.113741.1.5.1.101.1.5</CustomExtendedMatchKey> > </ExtendedKeyUsage> > </CertificateMatch> > > Do you have something similar in your profile, and does the certificate > you've imported match the criteria? >
