I don't use X.509 certificates, I just use RSA public/private key pairs established with each FQDN. So I cannot answer certificate deployment questions. But ... I do not understand how your second scenario would possibly have correct SAs and Flows, as this would never establish them with 192.168.1.1.
Have you tested either scenario?
|