I believe this was asked 3 years ago, but not properly answered (if at all). I've asked a few folks as well, but nothing yet.
The desire is to have different certificates/CA's used on/by different gateways. One example would be different locations with separate Active Directory domains. Users at each location already have different trusted CA's and would ideally be presented with different trusted root CA's upon outbound inspection.
AFAIK there is only a single outbound inspection certificate (whether internal or imported) - installed on the SMS and deployed to GW's during access policy installation.
One [rather impractical] workaround could be to install policy to site A, re-import site B's certificate (scriptable in R81.20?), install policy to site B. If R81.20's certificate scripting permits (as I've read), this could become fairly automated if we script all policy installation operations. Somewhat ugly, but it may at least help better covey the goal.
Even more ideally (but likely more of an RFE), what about allowing multiple outbound certificates in the inspection policy? The policy already allows for certificate selection - but only for inbound. Allowing certificate selection in outbound inspection rules would allow for even greater flexibility, like using roles and dynamic objects in source - allowing members of different AD domains (and even non-member machines) to use different certs. We can always dream 😉
Thanks,
-E