About multiple local certificates

In some instances, it might be desirable to install multiple local certificates that are used to identify the same host. There are several situations, where this might be desirable:

• Autonomous management of road warrior tunnels from multiple sites.
• Autonomous management of site-to-site tunnels from multiple sites.

Multiple local certificates are typically used to decentralize VPN management in larger networks. For instance, a VPN could be used to create a WAN (Wide Area Network) among three head offices of a multinational company. Each head office must be responsible for its own VPN links that connect its regional branches to its head office, as otherwise there would be a reliance on a single set of administrators in one country / time zone preparing certificates for the entire organization.

Using the example, each head office VPN gateway could utilize two local IDs (certificates):

• Country head office ID – This ID would be used by a head office to identify itself to head offices from other countries, to form VPN tunnels that make up the international WAN.
• Head office ID – This ID would be used by a head office to identify itself to other domestic offices, so that it can manage VPN tunnel connectivity within its own region.

The same concept can be applied to any situation where you want autonomous VPN management. To continue this example, many of the offices within one country need several road warrior users to connect to their local networks. In this instance, a branch office VPN gateway could utilize two local IDs (certificates):

• Regional branch office ID – This ID would be used by a branch office to identify itself to the head office and other branch offices that make up the country-wide WAN.
• Branch office ID – This ID would be used by a branch office to identify itself to its local road warriors, so that it can manage road warrior connectivity to its own branch.