Hi Anthony, > ? can VICI be configured to load a specific SCA cert per VPN (would this help)
That doesn't make a difference. As mentioned, only the identity is relevant on the client. So unless you can get the server to send a TLS certificate request only for a specific intermediate CA you can't control the client's certificate selection if you use the same identity for both end-entity certificates. Similarly, on the server side, where strongSwan sends TLS certificate requests for all available CA certificates (i.e. like the certs option, the cacerts option is only relevant for IKE, not for EAP-TLS). Regards, Tobias