The FCS_IPSEC_EXT.1.12 Test Assurance Activity requires the evaluator to generate a CSR using the TOE/platform for use during testing.  However, most VPN clients for mobile devices are not designed to issue their own CSRs, and CSR-issuing functionality is not required or directly available to users to meet the MDF PP (so CSR issuance isn't necessarily available on an evaluated mobile device).

For FCS_IPSEC_EXT.1.12, the Assurance Activity for Test 1 has been updated as follows:

Test 1: The evaluator shall have the TOE/platform generate a public-private key pair, and submit a CSR (Certificate Signing Request) to a CA (trusted by both the TOE/platform and the peer VPN used to establish a connection) for its signature. The values for the DN (Common Name, Organization, Organizational Unit, and Country) will also be passed in the request. Alternatively, the evaluator may import to the TOE/platform a previously generated private key and corresponding certificate.

Not all TOE platforms will be able to generate certificate requests, therefore the Test AA was updated to allow the option of importing a private key and certificate.