Hi Thank you very much for your reply!

There are several trustpoints when using command crypto pki certificates. Please see the below. Which one can be shutdown? If shutdown all of them, what impact it would have? 

W5#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 3C221
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA SHA2
o=Cisco
Subject:
Name: WS-C3650-24PDM-3
Serial Number: PID:WS-C3650-24PDM SN:FDO
cn=WS-C3650-24PDM-380E
serialNumber=PID:WS-C3650-24PDM SN:FD
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca2.crl
Validity Date:
start date: 10:08:15 UTC Oct 27 2017
end date: 10:18:15 UTC Oct 27 2027
Associated Trustpoints: CISCO_IDEVID_SUDI

Certificate
Status: Available
Certificate Serial Number (hex): 2D1
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: WS-C3650-24PDM-380E4
Serial Number: PID:WS-C3650-24PD
cn=WS-C3650-24PDM-380E4D
serialNumber=PID:WS-C3650-24PD
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/cmca.crl
Validity Date:
start date: 10:01:10 UTC Oct 27 2017
end date: 10:11:10 UTC Oct 27 2027
Associated Trustpoints: CISCO_IDEVID_SU

CA Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
Subject:
cn=Cisco Manufacturing CA SHA2
o=Cisco
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crcam2.crl
Validity Date:
start date: 08:50:58 UTC Nov 12 2012
end date: 08:00:17 UTC Nov 12 2037
Associated Trustpoints: CISCO_IDEVID_SUDI Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA M2
o=Cisco
Subject:
cn=Cisco Root CA M2
o=Cisco
Validity Date:
start date: 08:00:18 UTC Nov 12 2012
end date: 08:00:18 UTC Nov 12 2037
Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 6A696
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 20
o=Cisco Systems
Subject:
cn=Cisco Manufacturing CA
o=Cisco Systems
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2048.crl
Validity Date:
start date: 17:16:01 UTC Jun 10 2005
end date: 15:25:42 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI_LEGACY Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 5FF
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 204
o=Cisco Systems
Subject:
cn=Cisco Root CA 204
o=Cisco Systems
Validity Date:
start date: 15:17:12 UTC May 14 2004
end date: 15:25:42 UTC May 14 2029
Associated Trustpoints: CISCO_IDEVID_SUDI_LEGACY0 Trustpool

Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2334
Subject:
Name: IOS-Self-Signed-Certificate-2334
cn=IOS-Self-Signed-Certificate-23343
Validity Date:
start date: 11:39:38 UTC Nov 9 2018
end date: 19:00:00 UTC Dec 31 2019
Associated Trustpoints: TP-self-signed-233438
Storage: nvram:IOS-Self-Sig#1.cer