Comment by egberts

I do enjoy dual-PK-certificate authentication in my homelab: one by equipment, and one by user/group.

Only misgiving is that the key management issues have worsen only for the key administrator(s). But it is a viable and sustainable AA model because there is the most important security component: instant denial of a user and/or a equupment.