hi, my product guide doesn't mention what a cluster CA is. I've seen this post but am not really any wiser! https://community.mcafee.com/message/215959#215959
Is there any up-to-date documentation on this?
At present I have a cluster of 5 proxies in different geographic locations.
I created a user interface cert for each of them and also a sub-CA based on our internal windows CA for each one.
Do I need the cluster CA?
Does it negate the need for creating a sub-CA on each proxy?
The cluster CA is what allows each of the nodes in the cluster to communicate with each other (on port 12346). Each node shares the same cluster CA. If you change this, then you would need to import it on any new node prior to joining it to the cluster, otherwise joining will not work.
The "Cluster CA" should not be confused with the user interface certificate or the SSL scanning CA. The Sub CA you have, has been imported under Policy > Settings > Engines > SSL client context with CA, each node already shares this setting.
In the end the cluster CA is not something that you should need to change nor is it a user related item.