Enterprises and individuals may use virtual private networks (VPNs) to communicate securely over public networks. For example, an employee of an enterprise may use a virtual private network to communicate securely over the Internet with an application server situated within the enterprise network. The use of a VPN provides assurances that others on the public network cannot intercept, read, or reuse communications sent on the VPN.
In some computing environments, an enterprise may deploy many certificate-protected resources to ensure that users attempting to access the resource are legitimate. Each of the different resources may require, for example, that the client go through a separate sign-on procedure and produce a specific digital certificate understood by that resource. For example, each certificate-protected resource may utilize a handshake protocol in which the resource responds to an access request from a client with a request for an authorizing digital certificate issued to the client by an enterprise administrator for that specific resource. Each such protected resource may require a unique certificate that is specific to both the resource and the client. As such, a certificate that grants a client access to one of the protected resources may be insufficient to provide access to a different one of the resources. Similarly, a certificate that grants a client access to a protected resource may be insufficient to provide access to the resource for a different client. When an authorized client responds to a certificate request with the appropriate authorizing certificate for the protected resource, the certificate-protected resource is able to validate the certificate. The client and protected resource then perform further aspects of the handshake protocol to authenticate one another and negotiate encryption parameters and keys for establishing a secure channel through which data can be exchanged. A client therefore must store and manage digital certificates for each of the certificate-protected resources to which it may request access.