The company in which I work has a single site (I'll refer it as "Site A"). There are several private networks within site A. We have a running instance of OpenVPN which allows some employees to connect to one of the private networks in site A.

We're planning to extend our facilities to another site (which I'll refer as "Site B") and we wish to connect both sites using OpenVPN. The VPN which will connect sites A to B will be a trunk link, meaning it will have access to all networks. If we use the same certificate authority for both VPN servers, this will allow the employees, which can only to one of the private networks within site A, to connect to the site-to-site link, which will give them access to all networks. Off course this is undesirable.

Using 2 different certificate authorities seems like the obvious solution, but it doesn't feel right. I wounder if there's a way to maintain permission control within a single certificate authority.