And if I understand correctly, I will have to create a new SCEP RA profile to download the new certificates to the ISE trust Certificate Store, and re-bind my certificate template to the new SCEP RA profile.
My question is, what am I suppose to do with the old SCEP RA profile? Just leave it be? I found that if I remove it, ISE will per auto clean up the Certificate Trust store for the whole cert chain used in the SCEP RA profile: "When a SCEP RA Profile is removed, the associated CA chain is also removed from the Trusted Certificates Store.". That would remove the RootCA used for all my EAP and Admin certs, so I do not want to do that. But I don't want to have expired certs in ISE trust store also (the RA certificates).
If I leave the old SCEP RA profile be, can I safely remove the old RA Certificates in the ISE Certificate Trust Store? So that I don't have any expired certs in my trust store. See attached image of the RA cert in ISE Trusted Certificates Store that I want gone: