vSphere Trust Authority requires separate vCenter Server systems for the Trust Authority Cluster and the Trusted Cluster.
The Trust Authority Cluster is configured and managed on an independent, isolated vCenter Server. The vCenter Server of the Trust Authority Cluster cannot also be the vCenter Server of the Trusted Cluster. The Trusted Cluster must have its own, separate vCenter Server. A single vCenter Server can manage multiple Trusted Clusters. Multiple vCenter Server systems for Trusted Clusters can participate in enhanced linked mode. The vCenter Server for the Trust Authority Cluster cannot participate in enhanced linked mode with other Trust Authority Cluster vCenter Server systems or Trusted Cluster vCenter Server systems.
The Trust Authority administrator manages the Trust Authority Cluster and its associated vCenter Server independently from other vCenter Server instances, because this approach provides the best security isolation.
The Trust Authority administrator documents or publishes the hostnames and SSL certificates that Trusted Cluster administrators use to configure their clusters. The Trust Authority administrator also provisions trusted key providers for the organization and its departments, or even individual administrators.
You cannot deploy vSphere Trust Authority services directly on the Trusted Cluster managed by the Workload vCenter Server, because the workload administrator has high privilege access to the ESXi hosts. This type of deployment does not achieve the necessary separation of roles that is required to meet the security objectives of vSphere Trust Authority.