Internet protocol security (IPsec) offers authentication and encryption services to IP packets, as well as mutual authentication of communicating peers. IPsec communication between two peer endpoints typically involves two phases: mutual authentication and negotiation of traffic protection parameters, and application of the protection parameters to the traffic between the peers (e.g., encryption and/or authentication). In the first phase, one technique for the peers to authenticate each other is through the use of certificates. Each peer endpoint of the connection is provided with a certificate that authorizes the corresponding endpoint to participate in an IPsec session with the other endpoint. In order for the two endpoints to establish a certificate-based IPsec session, both machines need to have a certificate from a common trusted certificate authority.
In some datacenters it may be desirable to establish multiple isolation contexts. For example, an ISP (Internet service provider) can have multiple customers and needs to provide a secure isolated zone for each customer. In order to achieve this isolation with the current infrastructure, the ISP deploys a certificate authority for each zone. The deployment and maintenance of multiple certificate authorities is a time consuming and labor intensive process.