Hi Brian,
Security-wise, the public/private key of a certificate are typically longer than a pre-shared key.
If you want to use certificates then both devices will have to trust the same root CA. You could use your own CA like I did with this example and sign two certificates. One for your firewall and one for the customer. Since both devices trust the CA, they will trust each other’s certificate.
This is the main advantage of using certificates. For example, let’s say you have 100 customers that build a VPN to your main office’s firewall. If you want to add an extra firewall that the customers could connect to then you have to configure 100 pre-shared keys for all 100 customers so connect to the second firewall. You could use the same pre-shared key everywhere but that means once the key is compromised, you have to replace it everywhere…not a good idea!
When you use certificates, you only have to add a new certificate to the second firewall. Since the customers trust the CA, they will trust the certificate of the second firewall automatically.
You could use the same certificate, it’s even possible to use a “wildcard” certificate but that’s not a good idea. It’s the same as using the same pre-shared key everywhere. Once the key (or certificate) is compromised, you’ll have to replace it. Replacing a key/certificate on 2 devices is no problem but for 100 devices it might be a pain
It might be helpful to see this in action. You can use my example to build a CA with OpenSSL and then use 2-3 firewalls to build a VPN that uses the certificates.
Hope this helps!
Rene