When we installed our CPPM last year we were in a hurry for production and got the PUB running a couple weeks earlier than the SUB, so when we generated our CSR we just did it for the PUB. When we got to the SUB deployment we did another CSR and installed on the SUB.
I have seen an issue where clients that roam between the two authentication servers have to trust the "new" certificate (admittedly haven't done a lot of testing, but it made sense to me).
I'm about to renew the certificate and would like to avoid this issue in the future, so I assumed I needed to create a new cert for a generic name (i.e. clearpass.domain.com) with 2 SANs (i.e. cppm1.domain.com and cppm2.domain.com). However, your answer here makes me think I should be able to just use a cert with clearpass.domain.com and it will work fine regardless of which server presents it...is that right?
We are using L3 redundancy only, so no VIP. If authentication fails to the other server it will necessarily be a different IP/hostname.