I would like to tell you:
There is not a replacement process as such, these certificates get regenerated automatically and there is already one being used.
The cert that you see right now is just a left over and can be deleted safely. It does not need to be replaced because it already HAS been replaced when the CAPF cert was regenerated.
I would like to inform you that CAPF certificates are not used for anything until and unless you have a secure cluster, and since we do not have a secure cluster, these certificates are not being used for anything.
We can see that the real CAPF certificate is the file with the name of CAPF.pem:
Any CallManager-trust or CAPF-trust that does not end in this current active string of CAPF-44f71bf3 (this will vary based on what your capf.pem shows) can be deleted.
In this lab system we can safely delete
CAPF-trust | trust-certs | CAPF-9d41e66e.pem |
|
|
CallManager-trust | trust-certs | CAPF-9d41e66e.pem |
If we regenerate the CAPF.pem certificate again we get yet another new random string CAPF.pem cert. This becomes the new cert and replaces the old ones:
Then we have even more obsolete certs on the box that can be deleted:
These certificates are kept around in case there are LSCs out in the field on phones that have been signed by the older CAPF certificates.
If the cluster is not in secure mode they can be deleted.
If the cluster is in secure mode then all of the LSCs that were signed by the old CAPF cert must be regenerated before deleting the old CAPF certificate for phone security to continue working.