Always been a little bit hazey regarding the certificates on Cisco UCM and Unity Connection, probably because once they're in its years before they expire again and don't need to touch them.
However as far as I understand, your main CallManager, IPSEC, Tomcat certificates need to be valid and have associated valid xxx-trust certificates.
However I've just jumped onto a Unity Connection cluster which isn't having any issues, but has expired certificates below of type RSA
ipsec & ipsec-trust
tomcat & tomcat-trust
but then does have a valid tomcat-ECDSA and associated tomcat-trust certs of type EC.
So as long as there is one type of valid EC or RSA certificate for Tomcat then web access and any other tomcat related services like EM on CUCM will operate correctly?
Regarding IPSEC, surely this certificate needs to be renewed? its not currently effecting anything, but I thought this would prevent backups from being successful? yet its was fine doing its daily backup this morning...