These certificates are used if your system is running in Mixed mode for device secure registration.

We are running the Mixed Mode fonction and we are using CAPF with NAC.

We did renew the CAPF certificate last year.

Are those needed to for the mixed mode  ?

CAP-RTP-001 & CAP-RTP-001 (callmanager-trust/capf-trust) ?

These specific once are used to validate the MIC on the devices when you run in secure mode. As these eventually will expire Cisco provides new certificates that is used for this in updates of CM. That is yet another reason for why it is advisable to keep the system(s) up to date.

we are running version 12.5 and everytime we did cucm upgrade, I dont think those certificate change or got updated. Since we are running in mixed mode and those certificate are not renewable, what is the solution for us ?

An upgrade typically adds new/other certificates that is used to validate the MIC. If you look at the certificates that you have in your CM you'd see a list of certs used for validation of the MIC on the devices. These once that are expiring can be removed.

thank you for your answer. If I look the list of certificate, I see those that are expiring couple years later and they have the same description : 

- Cisco_Root_CA_2048
- ACT2_SUDI_CA
- Cisco_Manufacturing_CA_SHA2
- Cisco_Manufacturing_CA
- Cisco_Root_CA_M2

So I guess those were previously installed through an Upgrade and they will be used instead of the one expiring ?

That is correct and is my understanding as well. For additional information on this you can have a look at this post that discussed more or less the same thing.

https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/td-p/4749655

great

thank you 

Hi Roger, I have deleted CAP-RTP-001 certificate from Callmanager-Trust but could not delete it from CAPF-Trust store. Received HTTP Status 404 Error.

I'm able to delete it from CAPF-Trust store as well. Earlier, I have stopped the Certificate Change Notification service as best practice before deleting any certificate. Not sure if that caused the issue. Later on we started back that service and deleted it from CAPF store. Thank you!

Im am running mixed mode and have a secure cluster. So your saying that I will need to renew this certificate even if I have LSC extended to all the phones?

No that is not what I wrote. The certificates that are used for verification of MIC on the devices are updated by Cisco. The certificates that is expiring are not used as they are replaced by other certificates. These gets installed during upgrades of the system.

Thank you for your knowledge Roger, it is much appreciated.

My system right now (12.5) is in non-secure mode, so I can delete these things, but in the near future I will have to jump up to mixed mode and activate all this joy.  Are you aware of how cisco is planning to provide new Certificates for 12.5 or 14?  would it be through an ES or SU?

Rob

You can refer to this post that has the same topic covered in some detail - https://community.cisco.com/t5/unified-communications-infrastructure/cucm-capf-certificate-question/td-p/4749655

If you have a large environment or difficulties understanding their dependency, I would advise reaching out to TAC.