Hi Anthony, As I suspected, you use the same identity for the two end-entity certificates that are signed by different intermediate CAs:
> ipsec pki –-print –i /etc/swanctl/x509/Org1.crt> subject: "CN=RA00017.auth, > ..." > issuer: "..., CN=TDY Test SCA 1" > ... > altNames: ra00...@teledyne.com > ... > ipsec pki –-print –i /etc/swanctl/x509/Org2.crt > subject: "CN=RA00017.auth, ..." > issuer: "..., CN=TDY Test SCA 4" > ... > altNames: ra00...@teledyne.com > ... The configured identity is ra00...@teledyne.com in both configs, that you also configure a different certificate explicitly doesn't matter because EAP-TLS currently doesn't use that setting (the lookup is done based on the configured identity only). Certificate requests should be considered, but if the cert request is for the root CA that won't help (it might even depend on the order of the certificate requests if multiple are received). Regards, Tobias