In Pool object, add the ability to enable mTLS and use a client certificate issued by a XC Managed CA. XC will generate a unique CA for each Tenant namespace. Competition: Cloudflare "By default, API Shield mTLS uses client certificates issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each account.". source: https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/ Use case: Azure app gateway verifies "the client certificate's immediate issuer, here's how to determine what client certificate issuer DN will be extracted from the certificates uploaded". source: https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview Therefore, the CA has to be different per XC namespace