I have a few questions regarding certificates on an active/active IC 6500 cluster: 1)Should cluster members each have their own certificate, or should there be a single cluster certificate? Currently mine have individual certs, with the 'leader's' associated with the 'primary internal port', and the 'enabled's' associated with the 'cluster internal VIP'. Everything works fine, but what is best practice? 2) Replacing (not just Renewing) an expired cert on the 'enabled', I'm unable to break the port association with the expired cert because the 'Cluster internal VIP' seen to be associated with it on the Configuration Certificates page isn't visible when I go into the Certificate Details page. Is there another location I should look? 3) I will soon need to change domain names on the cert(s). Since they expire at different times, will they both - if two are recommended - need to be changed simultaneously? thanks!
... View more