diff --git a/src/etc/inc/vpn.inc b/src/etc/inc/vpn.inc
index 7ededb6e1..8b3f21784 100644
--- a/src/etc/inc/vpn.inc
+++ b/src/etc/inc/vpn.inc
@@ -579,9 +579,6 @@ EOD;
                 switch ($ph1ent['authentication_method']) {
                     case 'eap-tls':
                         $authentication = "leftauth=eap-tls\n\trightauth=eap-tls";
-                        if (!empty($ph1ent['certref'])) {
-                            $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
-                        }
                         break;
                     case 'xauth_rsa_server':
                         $authentication = "leftauth = pubkey\n\trightauth = pubkey";
@@ -602,6 +599,19 @@ EOD;
                         $authentication .= "\n\trightauth2 = xauth";
                         break;
                 }
+                if (!empty($ph1ent['certref'])) {
+                    $authentication .= "\n\tleftcert={$certpath}/cert-{$ph1ent['ikeid']}.crt";
+                }
+                if (!empty($ph1ent['caref'])) {
+                    $ca = lookup_ca($ph1ent['caref']);;
+                    if (!empty($ca)) {
+                         $rightca = "";
+                         foreach (cert_get_subject_array($ca['crt']) as $ca_field) {
+                            $rightca .= "{$ca_field['a']}={$ca_field['v']}/";
+                         }
+                         $authentication .= "\n\trightca=\"/$rightca\"";
+                    }
+                }
                 $left_spec = $ep;
 
                 if (isset($ph1ent['reauth_enable'])) {