Using DN/Subject for site-to-site certificate auth

Here is my scenario: I have multiple site-to-site VPNs, all of which are fully trusted. So far I have setup an openssl CA, created x509 certs for each device, and have IKE2 VPNs up that are all authenticated by the mere fact they are signed by the CA. The VPN identification method I’m using is ‘hostname’.

I now have a VPN to setup where I only want the remote firewall to connect to some of my other ASAs, not all of them. If I sign the CSR using my CA, it would give them access to all of the firewalls. I believe there is probably a way to authenticate based on the DN (Subject) of the cert, but I’m not finding a lot of this in my searching.

Is this the right approach in this scenario? If so, how would I go about it?

Hi Brian,

Are you still working on a solution? I’m guessing your remote ASAs are dynamic peers?