I have a customer running CUCM 12.5 and they use ISE with 802.1X authentication for IP phones connecting to Catalyst switches.
They use CAPF self-signed certs for this and they are installed in ISE as trusted certs.
The CAPF certs were regenerated on their CUCM servers over a year ago but the CAPF certs in the ISE trust store were not updated at the time. Currently everything seems to work ok in terms of phone authentication but the older versions of the CAPF certs in the ISE trust store will expire soon.
I need to install the newer CAPF certs in ISE and am trying to find out if there are any issues that I need to consider before doing so.
I don't think that I should need to worry about the phone CTL as the phones should have picked up the new CAPF certs but it would be useful to have that confirmed.
I am not sure whether installing the newer CAPF certs alongside the older CAPF certs would be ok or whether I should delete the older ones first?
I might be over-thinking this but want to avoid any issues as the potential impact if phones are unable to authenticate is considerable.