For a certificate-based VPN tunnel between two gateways with separate management systems, the requirement is mutually trusted Certificate Authorities (CAs). These trusted CAs ensure that both gateways can verify the authenticity of the certificates presented, thus establishing a secure VPN tunnel. Shared secret passwords, unique passwords, or shared user certificates do not provide the necessary trust and verification mechanisms needed for a certificate-based VPN tunnel.