Jean-Gaël Dominé <jgdomine@...>
From the description you gave and Joe's explanation, you should have two CAs instead one of to issue the certificates for both MSPs (One for org1MSP and one for org1OrdererMSP). Joe explained that the same root certificate (thus Certificate Authority) should not issue the peers and orderers artifacts.
Technically nothing prevents you from doing so but from a best practice perspective, that should be the case.
Hope I'm not mistaken