I followed two articles to setup an ocserv and enable certificate authentication, both were straightforward to follow and worked as described/expected.
Articles I followed were:
Setup the server:
https://www.linuxbabe.com/debian/set-up-openconnect-vpn-server-ocserv-debian-11-bullseye
Configure a CA for client identity certificates:
https://www.linuxbabe.com/ubuntu/certificate-authentication-openconnect-vpn-server-ocserv#comment-1028041
The outcome of the second article produces a .p12 certificate which is easily added to the OpenConnect-gui windows client and when used works perfectly. However, I have a printer that can run a VPN client using the Cisco AnyConnect protocol, but requires use of certificate authentication. The challenge I have is that it only accepts client identity certificates in .pfx format, rather than the .p12 as per the article.
I've tried multiple methods to convert the .p12 to .pfx (online converter tool and OpenSSL command line variations), but can't find an outcome that works.
I would really appreciate any advice or pointers anyone could provide to either use GnuTLS to simply output a .pfx instead of a .p12, or a method to covert the already created .p12 to a .pfx.
Figured out what I was doing wrong......
I'd used the wrong root CA certificate on the VPN client. Now working.