If a licensee is managing a multi-tenant installation it is acceptable for those tenants to share a single set of production certificates (License, transport, and packager) managed by the host/licensee. (The host/licensee is still beholden to the Highly Confidential Information handling terms in the compliance and robustness rules.) The ability of a client to decrypt content would be gated by license issuance and the business rules that control it.
However, in this scenario no key material can be shared with the customer. In cases where the customer wishes to package their own content they will need their own set of certificates. Also, keep in mind that some customers who are licensing premium content may have explicit statements in their content licensing agreements which would preclude the use of a single set of credentials managed by a host-- in these instances you would need to issue customer-specific set of certificates to meet that contractual obligation.
Does this answer your question?
--- Joseph R. Jones
Sr. Product Manager