There are a few types of certificates that you can use on routers - and I don't believe I am going through all of them.
On cisco, there is an 'encrypted nonce' in which each router generates it's own key-pair and then trades public keys. With this type, you get the benefits of not using shared secret, but you don't have a certificate authority (CA) to really control what's going on and to vouch for the identity of the other part.
To really us a certificate, you first need to choose a Certificate Authority (CA) that you want to do business with. Depending on your companies size, you may or may not have your own CA servers for this type of purpose. If you don't, companies like Verisign can provide them.
The idea is that each party that puts a certificate on their device is trusted by Verisign - assuming that Verisign does a certain level of identity checking. Therefore, if we both trust verisign, and we both trust that they do a good job checking identity, then I can also trust that the certificate that someone just gave me that was signed with Verisign's keys can also be trusted.
Similar concept as to what's going on inside the browser. Your browser by default has a Verisign cert installed. So your browser already trusts them. So when you connect to an SSL website that is using their certs, you trust that they are who they say they are and then use that info to exchange the keys that you'll use for the SSL transaction.
Another benefit of using a CA server is that a CA can revoke a certificate as well. So if something ends up falling into the wrong hangs (let's say someone steals a router), you can revoke their certificate. Now, since Verisign no longer trusts them, and I trust verisign, I don't trust that guy either and he can no longer connect.
If you decide to setup your own CA, just remember, nobody trusts you. You'll need to export your CAs cert and get it imported into your browser to respect any certs that you generate - otherwise, you'll still get an error message (assuming you use the cert for an https site).
Two VPN routers would probably also want to make sure that they trust the CA - not sure how to register that, it depends on the product.
Microsoft has a CA server in their Advanced Server product if you want a 'free' one, assuming you have Advanced Server. If you want it to work with Cisco routers though, you'll need to install the SCEP module to enable the correct protocol to allow routers to register and get certs.
To answer the other part of your question, what are the benefits of this over using a shared secret.
Depends on your environment. If it's small and you can rotate your shared secret on a regular basis, and your shared secret is strong, not much. With a CA you do get the benefit of revocation, being able to trust unknown third parties without giving them a shared value that you may have also given others, etc.
As for good material, it mostly depends on the product. For general public key information, I'm sure you'll find plenty on google. Here's a Wikipedia on PKI: http://en.wikipedia.org/wiki/Public_key_infrastructure