The best way to master a concept is to find your own and atypical idea and translate it into real scenario.
Requirements:
The CallBridge, Scheduler and WebBridge services are running in the same node Cisco Meeting Server but instead of a multi-SAN certificate, I used separate certificates for each services and different CA Servers.
1. The CallBridge service should use the CA-1 Server to sign the CallBridge certificate called CALLBRIDGE.cer.
2. The WebBridge service should use the CA-2 Server to sign the WebBridge certificate called WEBBRIDGE.cer.
3. The CallBridge must use the subordinate CA generated from CA-1 Server.
4. The WebBridge must use the subordinate CA generated from CA-2 Server.
5. Create a Bundle CA Called CB-Bundle.cer for CallBridge service using the Subordinate CA and Root certificate of CA-1 server.
6. Create a Bundle CA called WB-C2W-Bundle.cer for WebBridge service using the Subordinate CA and Root certificate of CA-2 server.
7. Create a certificate chain called WEBBRIDGE-CHAIN.cer for WebBridge3 using the previous subordinate CA, the Root certificate of CA-2 server and the WebBridge certificate.
8. Make sure that the CallBridge service will trust only the WebBridge certificate chain signed by only the certificate WB-C2W-Bundle.cer.
9. Make sure that the WebBridge service will trust only the CallBridge's certificate signed by only the certificate CB-Bundle.cer.
10. Enable the Scheduler, Since the Scheduler is required to run on a server which also has a colocated Callbridge, it is possible to use the Callbridge certificate and C2W trust cert for the Scheduler service, but a chain certificate is required for Scheduler, therefore bundle the certificates CALLBRIDGE.cer and CB-Bundle.cer used previously for CallBridge to create chain certificate SCHEDULER-CHAIN.cer.