IKEv2 Client-To-Site and certificates
I have a (probably general) question regarding IKEv2 authentication using certificates.
We set up a VPN100 appliance and got some client computers (Win10) able to connect through IKEv2 (internal Windows client). For this, I have created a self-signed certificate on the VPN100 and installed it in the clients' local machine account's certificate store Trusted Root Certification Authorities. (Procedure can be found at http://onesecurity.zyxel.com/img/uploads/Next-Gen_IKEv2_VPN_Server_Role_CR.pdf ).
Generally speaking, though: Assuming one of the laptops get lost or stolen, how could I prevent this specific device from connecting? As far as I can see, there is no way to have a per-device or even per-user certificate, is that correct? That would mean that when a computer is missing, I would have to create a new certificate and deploy it to every remaining laptop, is that correct? Obviously I could change the password for the user account in question, but that seems like a workaround, rather than a secure method to prevent intrusion into the VPN.
Is there any way to authenticate a per-device client certificate?
Thanks for any help,