You can also configure multiple CA for client auth, and on the client side multiple ca to verify host keys.