1 of 1 people found this helpful
The cluster CA is what allows each of the nodes in the cluster to communicate with each other (on port 12346). Each node shares the same cluster CA. If you change this, then you would need to import it on any new node prior to joining it to the cluster, otherwise joining will not work.
The "Cluster CA" should not be confused with the user interface certificate or the SSL scanning CA. The Sub CA you have, has been imported under Policy > Settings > Engines > SSL client context with CA, each node already shares this setting.
In the end the cluster CA is not something that you should need to change nor is it a user related item.
Thanks for clearing that up Jon, I won't touch it then