Thanks BB and I appreciate your response, but I don't believe that has covered my query.

The article below highlights the need to find a way to automate certificate creation and renewals, as the certificate lifecycle will only get shorter and shorter. We need to start taking action now to deal with this impending change.

https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/Moving Forward, Together (chromium.org)

I'd be interested to know if Cisco is looking at this and providing a way forward, not only for 9800 WLCs but other appliances too (ISE, etc.) If anyone has any experience in automating certs for Cisco products, I would be interested to hear about it.

Thanks again

Dylan

thats a good idea, but i don't think there is any official process like that, you can auto renew certs on Public CA side and continue using the original CSR, but you still have to manually import it to local repository and then to devices, one of the reason its will be a hard nut to crack is because there is no standard process of certificate installation across platform, even within cisco most products have their own method. I raise this issue with Cisco once. 

If you're talking about something like ACME (as referred to in your chromium link) when referring to automation then I'm not aware of any current or future plans for Cisco to support it - although I agree it would be useful.  So you could use a 3rd party client using ACME to handle the certificate renewal part with the issuing CA but you still need a method to get the cert installed on the WLC.

The functionality to do that today exists already: https://developer.cisco.com/codeexchange/github/repo/jeremycohoe/cisco-ios-xe-gnmi/ See gNOI certificate management service (cert.proto)

Or you could write your own code using restconf/YANG:
 https://github.com/YangModels/yang/blob/main/vendor/cisco/xe/17121/Cisco-IOS-XE-crypto-rpc.yang

> Our current software version is 17.3.8a
Good that you're on the latest 17.3 release, bad that you're still on 17.3 - it's almost EOL - see:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-3-x-eol.html
Already past bug and security fixes dates!
Keep track of the TAC recommended releases (link below) and start planning for keeping your network in sync with that as much as possible.  You're certainly not going to get any new automation features staying on the oldest supported release of IOS-XE!  At this point you should be planning your move to 17.9 right now and then start planning and thinking about 17.12 when that becomes the default recommended release.