IPsec Certificate Authority
A Certificate Authority is required to be setup if you want to use X.509 (certificated-based) authentication. More detailed information on this topic may be found in your EnGarde manual.

In a nutshell, the CA acts as a trusted entity who "signs" all of the certificates. When a user connects (using X.509 authentication) the signature on their certificate is checked to see if it was signed by this CA. If it was then access is granted.