Roger maybe I am wrong , but can you explain IPSEC regarding below chart ;

What is the number of the breakout season from Live? I rather look at it first hand before I comment.

As far as I know, from 14 FCS and above, if IPsec is not used, it can be removed. However, I have never deleted them for the customers, and I'm not sure how this can be done. I leave them untouched

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/14SU2/cucm_b_security-guide-14su2/cucm_m_certificates.html

How would one actually remove the IPsec certificate? From what I can see on our system, that runs 15SU3 there is no delete option.

@Nithin Eluvathingal based on the document you shared it looks like DRF (DRS) from version 14SU2 uses the Tomcat-ECDSA certificate.

Maybe from CLI ? 

set cert delete does not work ?

From what I know that is only possible for certificates that are in a trust store named with <something>-trust, for example CallManager-trust or tomcat-trust.

If I run the command from CLI that should from what I understand remove the IPsec cert I get this.

If I list the certificates that the system uses I think that the unit and file names are correctly entered.

@Roger Kallberg   I'm unsure how it can be deleted even i haven't seen an option to delete it from the GUI, . My understanding, like the OP, is that it can be deleted based on the slides I have seen.

Like the response of a Cisco employee on the community, it could be doable from the CLI. I cannot test this, but if you have the option, please try it and let us know.

https://community.cisco.com/t5/ip-telephony-and-phones/removing-certificates-from-cucm/td-p/2934514

For details on how to delete it and what exactly Cisco meant by this, I guess Cisco TAC could provide an answer.

@extremum ,Keep it untouched  or raise a question with TAC if you really want to remove it.